Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43
Symmetric key cryptography Alice and Bob share the same secret key. Key Plaintext Encryption Ciphertext Decryption Plaintext Stream ciphers Block ciphers Hash functions 2 / 43
Cryptographic Hash Functions H : {0,1} {0,1} n. Security properties: Preimage resistance (Complexity of the generic attack: 2 n ) Second-preimage resistance (Complexity of the generic attack: 2 n ) Collision resistance (Complexity of the generic attack: 2 n/2 ) Applications: password protection, digital signatures, key derivation, random number generation,... 3 / 43
The NIST SHA-3 competition Devastating attacks against MD5, SHA-1,... Lack of confidence in SHA-2 (standard). NIST launches in 2008 a public competition for defining a new standard. 64 submissions (October 2008) 51 first-round candidates 14 second-round candidates (July 2009) 5 finalists (December 2010) Winner of the competition: Keccak 4 / 43
Design of symmetric primitives Block ciphers and hash functions use similar building blocks. Iterated structure F = R r R 1. Every round follows the principles announced by Claude Shannon. A nonlinear part providing confusion. A linear part providing diffusion. 5 / 43
Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 6 / 43
Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 7 / 43
Vectorial functions Cryptographic primitives seen as vectorial Boolean functions F : F n 2 F m 2. These functions should behave like random functions. Study the properties of the inner Boolean functions to detect a non-random behaviour. Find a way to exploit the detected non-random behaviour. 8 / 43
Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) 9 / 43
Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) deg(f) = 3 9 / 43
Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) deg(f) = 3 Exploit a low algebraic degree in: algebraic attacks, higher-order differential attacks, cube attacks,... Higher-order differential attacks [Lai 94, Knudsen 94] For every subspace V with dim V > deg F: D V F(x) = v V F(x+v) = 0, for every x F n 2. 9 / 43
Algebraic degree of iterated constructions P = P r P 1 Question: How to estimate the algebraic degree of an iterated construction? Trivial bound deg(g F) deggdegf 10 / 43
The SHA-3 case Keccak [Bertoni-Daemen-Peeters-VanAssche 08] Winner of the SHA-3 competition Sponge construction Keccak-f Permutation 1600-bit state, seen as a 3-dimensional 5 5 64 matrix 24 rounds of R = ι χ π ρ θ Nonlinear layer: 320 parallel applications of a 5 5 S-box χ degχ = 2, degχ 1 = 3 11 / 43
The algebraic degree of the Keccak-f permutation Algebraic degree of the round permutation: deg(r) = 2. After r rounds (trivial bound): deg(r r ) 2deg(R r 1 ). For r = 24, deg(r 24 ) > 1600 no relevant information 12 / 43
Zero-sum distinguishers Zero-sums For block ciphers (known-key model) [Knudsen-Rijmen 07] For hash functions [Aumasson-Meier 09] Let F : F n 2 Fn 2. {x 1,...,x k } such that A zero-sum of size k for F is a subset k x i = i=1 k F(x i ) = 0. i=1 13 / 43
Zero-sum distinguishers Minimal size of a zero-sum [SAC 10] Let F : F n 2 Fn 2. C F : linear code of length 2 n and dimension 2n defined by ( x G F = 0 x 1 x 2 x 3... x 2 n 1 F(x 0 ) F(x 1 ) F(x 2 ) F(x 3 )... F(x 2 n 1) ) Proposition. {x i1,...,x ik } F n 2 is a zero-sum for F if and only if the codeword with support {i 1,...,i K } belongs to CF. Most notably, there exists at least a zero-sum of size 5 for F; F has no zero-sum of size less than or equal to 4 if and only if F is an APN function. 14 / 43
Zero-sum distinguishers Zero-sum partitions Let P be a permutation from F n 2 into Fn 2. A zero-sum partition for P of size K = 2 k is a collection of 2 n k disjoint zero-sums. Complexity of the best-known generic algorithm for finding zero-sum partitions: 2 n 2 k +(2n) 3 (2 n k 1). Finding zero-sum partitions for an iterated permutation: Exploit the non-linear part. Exploit the linear part. 15 / 43
Zero-sum distinguishers Exploiting the non-linear part [Aumasson-Meier 09] Take advantage of a low algebraic degree after several rounds. P = R r R 1. Let F r t = R r R t+1 and G t = R 1 1 R 1 t. Let V F n 2 with dimv > max(degf r t,degg t ). Let V W = F n 2. P G t F r t X a V +a P(X a ) X a = {G t (a+z),z V},a W is a zero-sum partition of F n 2 of size 2dimV for P. 16 / 43
Zero-sum distinguishers Using the principle of higher-order differentials P G t F r t X a V +a P(X a ) x = G t (z +a) = D V G t (a) = 0 x X a z V P(x) = F r t (z +a) = D V F r t (a) = 0 x X a z V 17 / 43
Zero-sum distinguishers Exploiting the structure of the diffusion part Round function R = L S. S composed of several small Sboxes S 0 defined over F n 0 B i = {x F n 2,supp(x) word i}. Let V such that B = i I 2. B i V and B = j J B j L(V) with dimb > degg t and dimb > degf r t. G t L 1 S 1 L S F r t (b+b) B V (b+b ) (b +B ) 18 / 43
Zero-sum distinguishers Application to Keccak-f We have shown by using a result of [Canteaut and Videau 02] that deg(r 7 ) 1369. 18 rounds Many zero-sum partitions of size 2 1370 for Keccak-f By exploiting the linear structure: 19 rounds A zero-sum partition of size 2 1458 for Keccak-f. 20 rounds A zero-sum partition of size 2 1595 for Keccak-f. 19 / 43
A bound on the degree of SPN-type iterated permutations Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 20 / 43
A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box y 0 y 1 y 2 y 3 21 / 43
A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k 1 3 y 0 y 1 y 2 y 3 21 / 43
A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k 1 3 2 3 3 3 y 0 y 1 y 2 y 3 21 / 43
A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k 1 3 2 3 3 3 4 4 y 0 y 1 y 2 y 3 F permutation of F n 2 : δ k = n iff k = n. 21 / 43
A bound on the degree of SPN-type iterated permutations The new bound [FSE 11] Theorem. Let F be a function from F n 2 into Fn 2 corresponding to the parallel application of an Sbox, S, defined over F n 0 2. Then, for any G from F n 2 into Fl 2, we have deg(g F) n n degg, γ where n 0 i γ = max. 1 i n 0 1 n 0 δ i 22 / 43
A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. 23 / 43
A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 1, x 3 = 3: deg(π) δ 3 x 3 +δ 4 x 4 = 3 3+4 1 = 13. 23 / 43
A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 2, x 3 = 1, x 2 = 1: deg(π) δ 2 x 2 +δ 3 x 3 +δ 4 x 4 = 3 1+3 1+4 2 = 14. 23 / 43
A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 3, x 1 = 1: deg(π) δ 1 x 1 +δ 4 x 4 = 3 1+4 3 = 15. 23 / 43
A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. deg(π) with x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 23 / 43
A bound on the degree of SPN-type iterated permutations d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... 16 deg(π) 16 d 3 24 / 43
A bound on the degree of SPN-type iterated permutations d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... deg(π) 16 16 d 3 24 / 43
A bound on the degree of SPN-type iterated permutations Application to Keccak-f deg(f R) 1600 1600 deg(f) 3 deg(f R 1 ) 1600 1600 deg(f) 2 Zero-sum partitions of size 2 1575 for 24 rounds of Keccak-f. r deg(r r ) deg(r r ) 1 2 3 2 4 9 3 8 27 4 16 81 5 32 243 6 64 729 7 128 1164 8 256 1382 9 512 1491 10 1024 1545 11 1408 1572 12 1536 1586 13 1578 1593 14 1592 1596 15 1597 1598 16 1599 1599 25 / 43
A bound implying the degree of the inverse permutation Influence of the inverse [IEEE Trans. IT 12] Observation of [Duan-Lai 11] for Keccak-f: When multiplying two coordinates of χ 1 the degree is at most 3: δ 2 (χ 1 ) = 3. Theorem. Let F be a permutation on F n 2. Then, for any k and l, δ l (F) < n k if and only if δ k (F 1 ) < n l. Case of Keccak: For F = χ 1, k = 1 and l = 2, δ 2 (χ 1 ) < 5 1 iff deg(χ) < 5 2 26 / 43
A bound implying the degree of the inverse permutation A new bound on the degree Corollary: Let F be a permutation of F n 2 and let G from Fn 2 into F m 2. Then, deg(g F) < n n 1 degg deg(f 1. ) 27 / 43
A bound implying the degree of the inverse permutation A new bound on the degree Corollary: Let F be a permutation of F n 2 and let G from Fn 2 into F m 2. Then, deg(g F) < n n 1 degg deg(f 1. ) Improvement of the bound for the SPN constructions. 27 / 43
A bound implying the degree of the inverse permutation Other applications Variant of KN xi 1 yi 1 ki T S E xi yi Improvement of the known bounds on the degree for: Block ciphers: Rijndael-256, AES, LBlock, Piccolo Hash functions: Hamsi, Luffa, JH, ECHO, Grøstl, Photon 28 / 43
The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. 29 / 43
The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 + x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. If we fix all-but-one variables to a constant value then all the coordinates of the Sbox are affine with respect to the input variable. 29 / 43
The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 + x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 + x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 + x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 + x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. If we fix two variables to a constant value then two coordinates of the Sbox are affine with respect to the input variables. 29 / 43
The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. If we fix one variable to a constant value then one coordinate of the Sbox is affine with respect to the input variables. 29 / 43
The notion of (v,w)-linearity The notion of (v,w)-linearity Study of the propagation of affine relations through an Sbox. Definition. Let S be a function from F n 2 into Fm 2. Then, S is (v,w)-linear if there exist two linear subspaces V F n 2 and W F m 2 with dimv = v and dimw = w such that, for all λ W, S λ : x λ S(x) has degree at most 1 on all cosets of V. 30 / 43
The notion of (v,w)-linearity Link with the Maiorana-McFarland construction Proposition. S is (v, w)-linear w.r.t. (V, W) if and only its components S λ,λ W, can be written as where M(u) is a w v binary matrix. S W : U V F w 2 (u,v) M(u)v +G(u) Equivalently, all second-order derivatives D α D β S W, with α,β V, vanish. 31 / 43
The notion of (v,w)-linearity General Properties Proposition. If S is (v,w)-linear w.r.t. (V,W), then all its components S λ, λ W have degree at most n + 1 v and L(S) 2 v. Equivalence holds for v = n 1 and w = 1. 32 / 43
The notion of (v,w)-linearity Analysis of 4-bit optimal Sboxes [Leander-Poschmann 07] Number of V such that S is (v, w)-linear w.r.t. (V, W) for some W. (v,w) Q (2,1) (2,2) (2,3) (2,4) (3,1) (3,2) (3,3) (3,4) G 0 3 35 19 5 0 7 1 0 0 G 1 3 35 23 3 0 7 1 0 0 G 2 3 35 23 3 0 7 1 0 0 G 3 0 35 5 0 0 0 0 0 0 G 4 0 35 5 0 0 0 0 0 0 G 5 0 35 5 0 0 0 0 0 0 G 6 0 35 5 0 0 0 0 0 0 G 7 0 35 5 0 0 0 0 0 0 G 8 3 35 19 5 0 7 1 0 0 G 9 1 35 13 0 0 3 0 0 0 G 10 1 35 13 0 0 3 0 0 0 G 11 0 35 5 0 0 0 0 0 0 G 12 0 35 5 0 0 0 0 0 0 G 13 0 35 5 0 0 0 0 0 0 G 14 1 35 13 0 0 3 0 0 0 G 15 1 35 11 1 0 3 0 0 0 33 / 43
The notion of (v,w)-linearity Second-preimage attack for Hamsi-256 [Fuhr 10] Compression function of Hamsi [Küçük 08]: 3 SPN rounds based on a 4-bit Sbox. Idea of the attack: Find affine relations between some input bits and some output bits of the compression function when the other input bits are fixed to a well chosen value. Preimages for the compression function. Second-preimages for the hash function. 34 / 43
The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. y 0 is of degree at most 1 if x 0 x 2 is of degree at most 1. y 3 is of degree at most 1 if x 1 x 3 and x 0 x 1 x 2 are of degree at most 1. 35 / 43
The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. y 0 is of degree at most 1 if x 0 x 2 is of degree at most 1. y 3 is of degree at most 1 if x 1 x 3 and x 0 x 1 x 2 are of degree at most 1. 35 / 43
The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. y 0 is (3,1)-linear for three hyperplanes. y 3 is (2,1)-linear for three 2-dimensional subspaces V. 35 / 43
The notion of (v,w)-linearity Automatic search for affine relations Results: There are 23 subspaces V, with dimv = 2 for which the Sbox of Hamsi is (2,2)-linear. There are 3 subspaces V, with dimv = 2 for which the Sbox of Hamsi is (2,3)-linear. Exploit this to propagate more relations through the second and the third round. N var = 9: 13 affine relations (two more than in [Fuhr 10]) N var = 10: 11 affine relations (two more than in [Fuhr 10]) Replace the Hamsi Sbox by some other well-chosen Sbox. The attack does not work anymore! 36 / 43
Side-channel analysis of some SHA-3 candidates Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 37 / 43
Side-channel analysis of some SHA-3 candidates Statistical Power Analysis Attacks against some material implementation of the primitive. Side channel attacks: Observe physical leakages while the algorithm is running on some platform (time, power consumption, electromagnetic radiation,...) Statistical Power Analysis: Keep power traces for many computations. Partition traces using a (partial) key hypothesis Detect the correct key by using statistical methods Hash functions used in MACs concerned by these attacks. 38 / 43
Side-channel analysis of some SHA-3 candidates Countermeasures for Grøstl [Gauravaram et al.] Protect the initial XOR between h and m Protect the rest of the computation in the same way as for AES. Generate a Boolean mask R of 512 bits. Mask the Sboxes. Generate once u,v F 8 2 and compute S (x+u) = S(x)+v, for every x F 8 2. 39 / 43
Side-channel analysis of some SHA-3 candidates CPA on HMAC-Grøstl Non-protected algorithm After the application of the countermeasures 40 / 43
Side-channel analysis of some SHA-3 candidates Countermeasures for Skein [Ferguson et al.] Protect the modular addition between the message and the key. Use Goubin s algorithm for converting Boolean masks to arithmetic and vice versa. Minimize the number of arithmetic to Boolean transformations. 41 / 43
Side-channel analysis of some SHA-3 candidates Comparison of the two candidates [TrustED 12] 32-bit ARM-based smart card running at 8 MHz. Algorithm Timings at 8MHz Extra RAM reference code secured code static stack Extra code HMAC-Grøstl 453 ms 486 ms (+7.2%) +325 bytes 0 +688 bytes HMAC-Skein 77.7 ms 155 ms (+100%) 0 +32 bytes +3484 bytes 42 / 43
Side-channel analysis of some SHA-3 candidates Related open questions Are there any other algebraic biases than can be exploited? Does the role of the inverse permutation have any other consequences on the overall construction, except the influence on the degree? Study the notion of (v,w)-linearity for other primitives. Applications for block ciphers? Try to exploit some of the algebraic biases studied for certain lightweight block ciphers. 43 / 43