Analysis of cryptographic hash functions

Similar documents
Algebraic properties of SHA-3 and notable cryptanalysis results

Higher-order differential properties of Keccak and Luffa

Higher-order differential properties of Keccak and Luffa

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Higher-order differential properties of Keccak and Luffa

Some attacks against block ciphers

Division Property: a New Attack Against Block Ciphers

Zero-Sum Partitions of PHOTON Permutations

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Structural Evaluation by Generalized Integral Property

Extended Criterion for Absence of Fixed Points

Another view of the division property

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

The Hash Function JH 1

Introduction to symmetric cryptography

An introduction to Hash functions

Avoiding collisions Cryptographic hash functions. Table of contents

Public-key Cryptography: Theory and Practice

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )

Elliptic Curve Cryptography and Security of Embedded Devices

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

Symmetric Crypto Systems

A New Algorithm to Construct. Secure Keys for AES

On the Security of NOEKEON against Side Channel Cube Attacks

Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

On the Security of Hash Functions Employing Blockcipher Post-processing

On Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013

Symmetric Crypto Systems

Rotational cryptanalysis of round-reduced Keccak

Linear Cryptanalysis of Reduced-Round PRESENT

Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1

Construction of Lightweight S-Boxes using Feistel and MISTY structures

New attacks on Keccak-224 and Keccak-256

Analysis of Some Quasigroup Transformations as Boolean Functions

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

Provable Security Against Differential and Linear Cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES

Similarities between encryption and decryption: how far can we go?

Cube Attacks on Stream Ciphers Based on Division Property

Some integral properties of Rijndael, Grøstl-512 and LANE-256

Decomposing Bent Functions

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Asymmetric Encryption

Open problems related to algebraic attacks on stream ciphers

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

Lecture Notes on Cryptographic Boolean Functions

Differential properties of power functions

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

HASH FUNCTIONS. Mihir Bellare UCSD 1

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Towards Provable Security of Substitution-Permutation Encryption Networks

Thesis Research Notes

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Computing the biases of parity-check relations

Bash-f: another LRX sponge function

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Proving Resistance against Invariant Attacks: How to Choose the Round Constants

On Cryptographic Properties of the Cosets of R(1;m)

Cryptanalysis of Lightweight Cryptographic Algorithms

HASH FUNCTIONS 1 /62

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Block Ciphers and Feistel cipher

Functions on Finite Fields, Boolean Functions, and S-Boxes

Vectorial Boolean Functions for Cryptography

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

A Five-Round Algebraic Property of the Advanced Encryption Standard

Cryptanalysis of 1-Round KECCAK

FFT-Based Key Recovery for the Integral Attack

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Revisit and Cryptanalysis of a CAST Cipher

Complementing Feistel Ciphers

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Optimized Interpolation Attacks on LowMC

Block Cipher Cryptanalysis: An Overview

A Polynomial Description of the Rijndael Advanced Encryption Standard

Cryptanalysis of Luffa v2 Components

Analysis of SHA-1 in Encryption Mode

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Lecture Notes. Advanced Discrete Structures COT S

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Nonlinear Invariant Attack

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Linear Analysis of Reduced-Round CubeHash

A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Differential and Correlation Power Analysis Attacks on HMAC-Whirlpool

Side-channel analysis in code-based cryptography

Transcription:

Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43

Symmetric key cryptography Alice and Bob share the same secret key. Key Plaintext Encryption Ciphertext Decryption Plaintext Stream ciphers Block ciphers Hash functions 2 / 43

Cryptographic Hash Functions H : {0,1} {0,1} n. Security properties: Preimage resistance (Complexity of the generic attack: 2 n ) Second-preimage resistance (Complexity of the generic attack: 2 n ) Collision resistance (Complexity of the generic attack: 2 n/2 ) Applications: password protection, digital signatures, key derivation, random number generation,... 3 / 43

The NIST SHA-3 competition Devastating attacks against MD5, SHA-1,... Lack of confidence in SHA-2 (standard). NIST launches in 2008 a public competition for defining a new standard. 64 submissions (October 2008) 51 first-round candidates 14 second-round candidates (July 2009) 5 finalists (December 2010) Winner of the competition: Keccak 4 / 43

Design of symmetric primitives Block ciphers and hash functions use similar building blocks. Iterated structure F = R r R 1. Every round follows the principles announced by Claude Shannon. A nonlinear part providing confusion. A linear part providing diffusion. 5 / 43

Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 6 / 43

Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 7 / 43

Vectorial functions Cryptographic primitives seen as vectorial Boolean functions F : F n 2 F m 2. These functions should behave like random functions. Study the properties of the inner Boolean functions to detect a non-random behaviour. Find a way to exploit the detected non-random behaviour. 8 / 43

Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) 9 / 43

Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) deg(f) = 3 9 / 43

Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) deg(f) = 3 Exploit a low algebraic degree in: algebraic attacks, higher-order differential attacks, cube attacks,... Higher-order differential attacks [Lai 94, Knudsen 94] For every subspace V with dim V > deg F: D V F(x) = v V F(x+v) = 0, for every x F n 2. 9 / 43

Algebraic degree of iterated constructions P = P r P 1 Question: How to estimate the algebraic degree of an iterated construction? Trivial bound deg(g F) deggdegf 10 / 43

The SHA-3 case Keccak [Bertoni-Daemen-Peeters-VanAssche 08] Winner of the SHA-3 competition Sponge construction Keccak-f Permutation 1600-bit state, seen as a 3-dimensional 5 5 64 matrix 24 rounds of R = ι χ π ρ θ Nonlinear layer: 320 parallel applications of a 5 5 S-box χ degχ = 2, degχ 1 = 3 11 / 43

The algebraic degree of the Keccak-f permutation Algebraic degree of the round permutation: deg(r) = 2. After r rounds (trivial bound): deg(r r ) 2deg(R r 1 ). For r = 24, deg(r 24 ) > 1600 no relevant information 12 / 43

Zero-sum distinguishers Zero-sums For block ciphers (known-key model) [Knudsen-Rijmen 07] For hash functions [Aumasson-Meier 09] Let F : F n 2 Fn 2. {x 1,...,x k } such that A zero-sum of size k for F is a subset k x i = i=1 k F(x i ) = 0. i=1 13 / 43

Zero-sum distinguishers Minimal size of a zero-sum [SAC 10] Let F : F n 2 Fn 2. C F : linear code of length 2 n and dimension 2n defined by ( x G F = 0 x 1 x 2 x 3... x 2 n 1 F(x 0 ) F(x 1 ) F(x 2 ) F(x 3 )... F(x 2 n 1) ) Proposition. {x i1,...,x ik } F n 2 is a zero-sum for F if and only if the codeword with support {i 1,...,i K } belongs to CF. Most notably, there exists at least a zero-sum of size 5 for F; F has no zero-sum of size less than or equal to 4 if and only if F is an APN function. 14 / 43

Zero-sum distinguishers Zero-sum partitions Let P be a permutation from F n 2 into Fn 2. A zero-sum partition for P of size K = 2 k is a collection of 2 n k disjoint zero-sums. Complexity of the best-known generic algorithm for finding zero-sum partitions: 2 n 2 k +(2n) 3 (2 n k 1). Finding zero-sum partitions for an iterated permutation: Exploit the non-linear part. Exploit the linear part. 15 / 43

Zero-sum distinguishers Exploiting the non-linear part [Aumasson-Meier 09] Take advantage of a low algebraic degree after several rounds. P = R r R 1. Let F r t = R r R t+1 and G t = R 1 1 R 1 t. Let V F n 2 with dimv > max(degf r t,degg t ). Let V W = F n 2. P G t F r t X a V +a P(X a ) X a = {G t (a+z),z V},a W is a zero-sum partition of F n 2 of size 2dimV for P. 16 / 43

Zero-sum distinguishers Using the principle of higher-order differentials P G t F r t X a V +a P(X a ) x = G t (z +a) = D V G t (a) = 0 x X a z V P(x) = F r t (z +a) = D V F r t (a) = 0 x X a z V 17 / 43

Zero-sum distinguishers Exploiting the structure of the diffusion part Round function R = L S. S composed of several small Sboxes S 0 defined over F n 0 B i = {x F n 2,supp(x) word i}. Let V such that B = i I 2. B i V and B = j J B j L(V) with dimb > degg t and dimb > degf r t. G t L 1 S 1 L S F r t (b+b) B V (b+b ) (b +B ) 18 / 43

Zero-sum distinguishers Application to Keccak-f We have shown by using a result of [Canteaut and Videau 02] that deg(r 7 ) 1369. 18 rounds Many zero-sum partitions of size 2 1370 for Keccak-f By exploiting the linear structure: 19 rounds A zero-sum partition of size 2 1458 for Keccak-f. 20 rounds A zero-sum partition of size 2 1595 for Keccak-f. 19 / 43

A bound on the degree of SPN-type iterated permutations Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 20 / 43

A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box y 0 y 1 y 2 y 3 21 / 43

A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k 1 3 y 0 y 1 y 2 y 3 21 / 43

A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k 1 3 2 3 3 3 y 0 y 1 y 2 y 3 21 / 43

A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k 1 3 2 3 3 3 4 4 y 0 y 1 y 2 y 3 F permutation of F n 2 : δ k = n iff k = n. 21 / 43

A bound on the degree of SPN-type iterated permutations The new bound [FSE 11] Theorem. Let F be a function from F n 2 into Fn 2 corresponding to the parallel application of an Sbox, S, defined over F n 0 2. Then, for any G from F n 2 into Fl 2, we have deg(g F) n n degg, γ where n 0 i γ = max. 1 i n 0 1 n 0 δ i 22 / 43

A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. 23 / 43

A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 1, x 3 = 3: deg(π) δ 3 x 3 +δ 4 x 4 = 3 3+4 1 = 13. 23 / 43

A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 2, x 3 = 1, x 2 = 1: deg(π) δ 2 x 2 +δ 3 x 3 +δ 4 x 4 = 3 1+3 1+4 2 = 14. 23 / 43

A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 3, x 1 = 1: deg(π) δ 1 x 1 +δ 4 x 4 = 3 1+4 3 = 15. 23 / 43

A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. deg(π) with x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 23 / 43

A bound on the degree of SPN-type iterated permutations d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... 16 deg(π) 16 d 3 24 / 43

A bound on the degree of SPN-type iterated permutations d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... deg(π) 16 16 d 3 24 / 43

A bound on the degree of SPN-type iterated permutations Application to Keccak-f deg(f R) 1600 1600 deg(f) 3 deg(f R 1 ) 1600 1600 deg(f) 2 Zero-sum partitions of size 2 1575 for 24 rounds of Keccak-f. r deg(r r ) deg(r r ) 1 2 3 2 4 9 3 8 27 4 16 81 5 32 243 6 64 729 7 128 1164 8 256 1382 9 512 1491 10 1024 1545 11 1408 1572 12 1536 1586 13 1578 1593 14 1592 1596 15 1597 1598 16 1599 1599 25 / 43

A bound implying the degree of the inverse permutation Influence of the inverse [IEEE Trans. IT 12] Observation of [Duan-Lai 11] for Keccak-f: When multiplying two coordinates of χ 1 the degree is at most 3: δ 2 (χ 1 ) = 3. Theorem. Let F be a permutation on F n 2. Then, for any k and l, δ l (F) < n k if and only if δ k (F 1 ) < n l. Case of Keccak: For F = χ 1, k = 1 and l = 2, δ 2 (χ 1 ) < 5 1 iff deg(χ) < 5 2 26 / 43

A bound implying the degree of the inverse permutation A new bound on the degree Corollary: Let F be a permutation of F n 2 and let G from Fn 2 into F m 2. Then, deg(g F) < n n 1 degg deg(f 1. ) 27 / 43

A bound implying the degree of the inverse permutation A new bound on the degree Corollary: Let F be a permutation of F n 2 and let G from Fn 2 into F m 2. Then, deg(g F) < n n 1 degg deg(f 1. ) Improvement of the bound for the SPN constructions. 27 / 43

A bound implying the degree of the inverse permutation Other applications Variant of KN xi 1 yi 1 ki T S E xi yi Improvement of the known bounds on the degree for: Block ciphers: Rijndael-256, AES, LBlock, Piccolo Hash functions: Hamsi, Luffa, JH, ECHO, Grøstl, Photon 28 / 43

The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. 29 / 43

The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 + x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. If we fix all-but-one variables to a constant value then all the coordinates of the Sbox are affine with respect to the input variable. 29 / 43

The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 + x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 + x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 + x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 + x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. If we fix two variables to a constant value then two coordinates of the Sbox are affine with respect to the input variables. 29 / 43

The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. If we fix one variable to a constant value then one coordinate of the Sbox is affine with respect to the input variables. 29 / 43

The notion of (v,w)-linearity The notion of (v,w)-linearity Study of the propagation of affine relations through an Sbox. Definition. Let S be a function from F n 2 into Fm 2. Then, S is (v,w)-linear if there exist two linear subspaces V F n 2 and W F m 2 with dimv = v and dimw = w such that, for all λ W, S λ : x λ S(x) has degree at most 1 on all cosets of V. 30 / 43

The notion of (v,w)-linearity Link with the Maiorana-McFarland construction Proposition. S is (v, w)-linear w.r.t. (V, W) if and only its components S λ,λ W, can be written as where M(u) is a w v binary matrix. S W : U V F w 2 (u,v) M(u)v +G(u) Equivalently, all second-order derivatives D α D β S W, with α,β V, vanish. 31 / 43

The notion of (v,w)-linearity General Properties Proposition. If S is (v,w)-linear w.r.t. (V,W), then all its components S λ, λ W have degree at most n + 1 v and L(S) 2 v. Equivalence holds for v = n 1 and w = 1. 32 / 43

The notion of (v,w)-linearity Analysis of 4-bit optimal Sboxes [Leander-Poschmann 07] Number of V such that S is (v, w)-linear w.r.t. (V, W) for some W. (v,w) Q (2,1) (2,2) (2,3) (2,4) (3,1) (3,2) (3,3) (3,4) G 0 3 35 19 5 0 7 1 0 0 G 1 3 35 23 3 0 7 1 0 0 G 2 3 35 23 3 0 7 1 0 0 G 3 0 35 5 0 0 0 0 0 0 G 4 0 35 5 0 0 0 0 0 0 G 5 0 35 5 0 0 0 0 0 0 G 6 0 35 5 0 0 0 0 0 0 G 7 0 35 5 0 0 0 0 0 0 G 8 3 35 19 5 0 7 1 0 0 G 9 1 35 13 0 0 3 0 0 0 G 10 1 35 13 0 0 3 0 0 0 G 11 0 35 5 0 0 0 0 0 0 G 12 0 35 5 0 0 0 0 0 0 G 13 0 35 5 0 0 0 0 0 0 G 14 1 35 13 0 0 3 0 0 0 G 15 1 35 11 1 0 3 0 0 0 33 / 43

The notion of (v,w)-linearity Second-preimage attack for Hamsi-256 [Fuhr 10] Compression function of Hamsi [Küçük 08]: 3 SPN rounds based on a 4-bit Sbox. Idea of the attack: Find affine relations between some input bits and some output bits of the compression function when the other input bits are fixed to a well chosen value. Preimages for the compression function. Second-preimages for the hash function. 34 / 43

The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. y 0 is of degree at most 1 if x 0 x 2 is of degree at most 1. y 3 is of degree at most 1 if x 1 x 3 and x 0 x 1 x 2 are of degree at most 1. 35 / 43

The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. y 0 is of degree at most 1 if x 0 x 2 is of degree at most 1. y 3 is of degree at most 1 if x 1 x 3 and x 0 x 1 x 2 are of degree at most 1. 35 / 43

The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. y 0 is (3,1)-linear for three hyperplanes. y 3 is (2,1)-linear for three 2-dimensional subspaces V. 35 / 43

The notion of (v,w)-linearity Automatic search for affine relations Results: There are 23 subspaces V, with dimv = 2 for which the Sbox of Hamsi is (2,2)-linear. There are 3 subspaces V, with dimv = 2 for which the Sbox of Hamsi is (2,3)-linear. Exploit this to propagate more relations through the second and the third round. N var = 9: 13 affine relations (two more than in [Fuhr 10]) N var = 10: 11 affine relations (two more than in [Fuhr 10]) Replace the Hamsi Sbox by some other well-chosen Sbox. The attack does not work anymore! 36 / 43

Side-channel analysis of some SHA-3 candidates Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 37 / 43

Side-channel analysis of some SHA-3 candidates Statistical Power Analysis Attacks against some material implementation of the primitive. Side channel attacks: Observe physical leakages while the algorithm is running on some platform (time, power consumption, electromagnetic radiation,...) Statistical Power Analysis: Keep power traces for many computations. Partition traces using a (partial) key hypothesis Detect the correct key by using statistical methods Hash functions used in MACs concerned by these attacks. 38 / 43

Side-channel analysis of some SHA-3 candidates Countermeasures for Grøstl [Gauravaram et al.] Protect the initial XOR between h and m Protect the rest of the computation in the same way as for AES. Generate a Boolean mask R of 512 bits. Mask the Sboxes. Generate once u,v F 8 2 and compute S (x+u) = S(x)+v, for every x F 8 2. 39 / 43

Side-channel analysis of some SHA-3 candidates CPA on HMAC-Grøstl Non-protected algorithm After the application of the countermeasures 40 / 43

Side-channel analysis of some SHA-3 candidates Countermeasures for Skein [Ferguson et al.] Protect the modular addition between the message and the key. Use Goubin s algorithm for converting Boolean masks to arithmetic and vice versa. Minimize the number of arithmetic to Boolean transformations. 41 / 43

Side-channel analysis of some SHA-3 candidates Comparison of the two candidates [TrustED 12] 32-bit ARM-based smart card running at 8 MHz. Algorithm Timings at 8MHz Extra RAM reference code secured code static stack Extra code HMAC-Grøstl 453 ms 486 ms (+7.2%) +325 bytes 0 +688 bytes HMAC-Skein 77.7 ms 155 ms (+100%) 0 +32 bytes +3484 bytes 42 / 43

Side-channel analysis of some SHA-3 candidates Related open questions Are there any other algebraic biases than can be exploited? Does the role of the inverse permutation have any other consequences on the overall construction, except the influence on the degree? Study the notion of (v,w)-linearity for other primitives. Applications for block ciphers? Try to exploit some of the algebraic biases studied for certain lightweight block ciphers. 43 / 43

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback