How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

Similar documents
Rebound Attack. Florian Mendel

Rebound Attack on Reduced-Round Versions of JH

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Algebraic properties of SHA-3 and notable cryptanalysis results

Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl

Cryptanalysis of AES-Based Hash Functions

Cryptanalysis of Luffa v2 Components

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Preimage Attacks on Reduced Tiger and SHA-2

The Hash Function JH 1

Analysis of cryptographic hash functions

Weaknesses in the HAS-V Compression Function

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Rebound Distinguishers: Results on the Full Whirlpool Compression Function

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512

The SHA Family of Hash Functions: Recent Results

Preimages for Step-Reduced SHA-2

Collision Attack on Boole

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Higher-order differential properties of Keccak and Luffa

Linear Analysis of Reduced-Round CubeHash

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

New attacks on Keccak-224 and Keccak-256

Second-Order Differential Collisions for Reduced SHA-256

Higher-order differential properties of Keccak and Luffa

Zero-Sum Partitions of PHOTON Permutations

Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Cryptanalysis of Twister

Linear Analysis of Reduced-Round CubeHash

A (Second) Preimage Attack on the GOST Hash Function

Quantum Preimage and Collision Attacks on CubeHash

Rotational cryptanalysis of round-reduced Keccak

Second Preimages for Iterated Hash Functions and their Implications on MACs

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

Cryptanalysis of EnRUPT

Higher-order differential properties of Keccak and Luffa

Analysis of Differential Attacks in ARX Constructions

Cryptanalysis of 1-Round KECCAK

Further progress in hashing cryptanalysis

Martin Cochran. August 24, 2008

Cryptanalysis of ARMADILLO2

New Preimage Attacks Against Reduced SHA-1

Some integral properties of Rijndael, Grøstl-512 and LANE-256

Rotational Cryptanalysis of ARX Revisited

Avoiding collisions Cryptographic hash functions. Table of contents

The Impact of Carries on the Complexity of Collision Attacks on SHA-1

Optimal Covering Codes for Finding Near-Collisions

Differential Analysis of the LED Block Cipher

Finding good differential patterns for attacks on SHA-1

An introduction to Hash functions

Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions

Cryptanalysis of ESSENCE

Known and Chosen Key Differential Distinguishers for Block Ciphers

Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Preimage Attacks on 3, 4, and 5-Pass HAVAL

Impact of Rotations in SHA-1 and Related Hash Functions

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

SMASH - A Cryptographic Hash Function

MARVELlous: a STARK-Friendly Family of Cryptographic Primitives

Practical pseudo-collisions for hash functions ARIRANG-224/384

Inside the Hypercube

Beyond the MD5 Collisions

A Composition Theorem for Universal One-Way Hash Functions

Quantum Differential and Linear Cryptanalysis

Improved Generic Attacks Against Hash-based MACs and HAIFA

Unaligned Rebound Attack: Application to Keccak

Subspace Trail Cryptanalysis and its Applications to AES

How (not) to efficiently dither blockcipher-based hash functions?

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Week 12: Hash Functions and MAC

STRIBOB : Authenticated Encryption

Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE

HASH FUNCTIONS. Mihir Bellare UCSD 1

Breaking H 2 -MAC Using Birthday Paradox

Haraka v2 Efficient Short-Input Hashing for Post-Quantum Applications

Preimage Attacks on 3, 4, and 5-pass HAVAL

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

SMASH - A Cryptographic Hash Function

On the Impact of Known-Key Attacks on Hash Functions

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Cryptanalysis of Full Sprout

Practical Free-Start Collision Attacks on 76-step SHA-1

TheImpactofCarriesontheComplexityof Collision Attacks on SHA-1

The Security of Abreast-DM in the Ideal Cipher Model

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Title of Presentation

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Cryptographic Hash Functions

PhD-FSTC The Faculty of Sciences, Technology and Communication DISSERTATION. Defense held on 23/02/2011 in Luxembourg. to obtain the degree of

On the Big Gap Between p and q in DSA

Table Of Contents. ! 1. Introduction to AES

Transcription:

How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland

Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1 Problem 2 4 Results and Conclusion

Hash Functions and the SHA-3 Competition

Cryptographic Hash Functions H : {0, 1} {0, 1} l h Given a message of arbitrary length returns a short random-looking value of fixed length. Many applications: MAC s (authentication), digital signatures, integrity check of executables, pseudo - random generation... 1/21

Hash Function Security Requirements Classical and main security requirements: collision resistance and (second) preimage resistance. Other types of attacks: near-collisions, multicollisions, length extension attacks, distinguishers... Security proofs rely on assumptions on the building blocks: i.e., ideal permutation, collision-resistant compression function... attack the assumptions. 2/21

NIST 1 SHA-3 Competition Attacks known for current standards MD5 and SHA-1 [Wang-Yu 05, Wang et al. 05]. Confidence in SHA-2 (standard) undermined. NIST has launched the SHA-3 public competition for finding a new hash standard. 1 U.S. Institute of Standards and Technology 3/21

NIST SHA-3 Competition 64 submissions (October 2008). 51 first round candidates (October 2008). 14 second round candidates (July 2009). 5 finalists (December 2010). NIST will choose the new hash function standard in 2Q 2012. 4/21

The Rebound Attack and Motivation

Rebound Attack [Mendel et al.09] Inbound phase: 1. We choose the differential path, 2. we find differences for the black bytes that verify the path with a meet in the middle (probability=2 16 ), 3. then, for each difference match, 2 16 values make the path possible. 5/21

Rebound Attack Low cost solutions for a low probability part of the path. At first introduced for analysing AES-based functions. Improvements: multi-inbounds [Matusiewicz et al.09], super-sboxes [Gilbert-Peyrin10, Lamberger et al.09]... Quite technical. Applied to several SHA-3 candidates to build: collisions, semi-free-start collisions, distinguishers... 6/21

The Rebound Attack Applied to SHA-3: 1. ECHO 2. Grøstl 3. JH 4. Luffa 5. Lane 6. Shavite 7. Cheetah (simple and low complexity) 8. Twister (simple and low complexity) 9. Skein (high level) 7/21

We Have Noticed that... In nearly all the cases, a merge of big lists is needed, and that is very often not done in an optimal way. 8/21

We Propose Some problem definitions that will help improving the complexities. Some algorithms for solving these problems. The main aim is to help future rebound attacks to be as efficient as possible. 9/21

Merging N Lists with Respect to t

General Problem 10/21

Problem 1: Group-Wise t It can be reduced to a N = 2 situation with L A and L B. 11/21

Solving Problem 1: Instant Matching 12/21

Solving Problem 1: Gradual Matching 13/21

Solving Problem 1: Parallel Matching 14/21

Problem 1: 3 Algorithms Type of Time Memory Matching Instant O(z2 s + zp t 2 lb+zs ) O(z2 s + 2 l A + 2 l B + P t 2 l A+l B ) Gradual (z first groups) O(z2 s + 2 z s (z + S2 merge )) O(z2 s + 2 l A + 2 l B + S + P t 2 l A+l B ) Parallel (m and n groups in parallel) O(2 l n + 2 l m + 2 l A+l B n+m j=1 p j + 2 l A+ns n j=1 p j + 2 l B+ms m j=n+1 p j ) O(2 l n + 2 l m + 2 l B + 2 l B+ms m j=n+1 p j + P t 2 l A+l B ) 15/21

Problem 2: Parallel AES States For all possibles in and out, find all x such that F (x) F (x in ) = out. 16/21

Problem 2: Stop-in-the-Middle 17/21

The Rebound Attack Applied to SHA-3: Out of the studied analysis, we have been able to improve the rebound attacks on: 1. ECHO 2. Grøstl 3. JH 4. Luffa 5. Lane 18/21

Improvements on Best Known Analysis Hash Function SHA3 Rounds Previous This Paper Best Known Analysis Round / Total Time Memory Ref. Time Memory JH semi-free-start coll. 16 / 42 2 Final 2 104 [RTV10] 2 97 2 97 JH semi-free-start near coll. 22 / 42 2 168 2 143.70 [RTV10] 2 96 2 96 Grøstl-256 (compr. function property) 10 / 10 2 192 2 64 [Pey10] 2 182 2 64 Grøstl-256 Final (internal permutation dist.) 10 / 10 2 192 2 64 [Pey10] 2 175 2 64 Grøstl-512 (compr. function property) 11 / 14 2 640 2 64 [Pey10] 2 630 2 64 ECHO-256 2 nd internal permutation dist. 8 / 8 2 182 2 37 [SLW + 10] 2 151 2 67 Luffa 2 nd semi-free-start coll. 7 / 8 2 132 2 68.8 [KNPRS10] 2 112.9 2 68.8 (2 104 ) (2 102 ) Lane-256 1 st semi-free-start coll. 6+3 / 6+3 2 96 2 88 [MNPN + 09] 2 80 2 66 Lane-512 semi-free-start coll. 8+4 / 8+4 2 224 2 128 [MNPN + 09] 2 224 2 66 19/21

Conclusion Problem definition that describes the bottleneck of most rebound attacks. Importance of identifying the best situations. Several algorithms for solving the problem in different realistic scenarios. Applied to previous rebound attacks, improve considerably their complexities, and most important, results useful for future cryptanalysis. So far: 20/21

New Applications Improved Analysis of ECHO-256 [Jean et al. SAC11], stop-in-the-middle allows the best known compression function results. Rebound attack on JH42 [NP et al. Rump Session ECRYPT Hash Workshop11], problem 1 algorithms and correct problem definitions allow for a semi-free-start near-collision for 37 rounds and a permutation distinguisher for the 42 rounds. Cryptanalysis of ARMADILLO2 [Abdelraheem et al. eprint11], parallel matching allows cryptanalysis of all the variants. 21/21

References [KNPRS10] D. Khovratovich, M. Naya-Plasencia, A. Röck, and M. Schläffer. Cryptanalysis of Luffa v2 components. In SAC, volume 6544 of Lecture Notes in Computer Science, pages 388 409, 2010. [MNPN + 09] Krystian Matusiewicz, María Naya-Plasencia, Ivica Nikolic, Yu Sasaki, and Martin Schläffer. Rebound Attack on the Full Lane Compression Function. In ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages 106 125. Springer, 2009. [Pey10] [RTV10] [SLW + 10] Thomas Peyrin. Improved Differential Attacks for ECHO and Grøstl. In Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings, volume 6223 of Lecture Notes in Computer Science, pages 370 392. Springer, 2010. Vincent Rijmen, Denis Toz, and Kerem Varici. Rebound Attack on Reduced-Round Versions of JH. In FSE, volume 6147 of Lecture Notes in Computer Science, pages 286 303, 2010. Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, and K. Ohta. Non-Full-Active Super-Sbox Analysis Applications to ECHO and Grøstl. In ASIACRYPT, volume 6477 of Lecture Notes in Computer Science, pages 38 55, 2010. To appear.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback