Algebraic properties of SHA-3 and notable cryptanalysis results

Similar documents
Analysis of cryptographic hash functions

Higher-order differential properties of Keccak and Luffa

Higher-order differential properties of Keccak and Luffa

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Higher-order differential properties of Keccak and Luffa

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

Cryptanalysis of 1-Round KECCAK

New attacks on Keccak-224 and Keccak-256

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Rotational cryptanalysis of round-reduced Keccak

On Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013

Some attacks against block ciphers

Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

Keccak sponge function family main document

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Zero-Sum Partitions of PHOTON Permutations

The Hash Function JH 1

Cryptanalysis of EnRUPT

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

Cryptographic Hash Functions Part II

Quantum Preimage and Collision Attacks on CubeHash

Avoiding collisions Cryptographic hash functions. Table of contents

Version 3.0 January 14, STMicroelectronics 2 NXP Semiconductors

Characterization of Column Parity Kernel and Differential Cryptanalysis of Keccak

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

A New Distinguisher on Grain v1 for 106 rounds

New techniques for trail bounds and application to differential trails in Keccak

New Insights into Divide-and-Conquer Attacks on the Round-Reduced Keccak-MAC

Unaligned Rebound Attack: Application to Keccak

An introduction to Hash functions

Cube Attacks on Stream Ciphers Based on Division Property

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Why not SHA-3? A glimpse at the heart of hash functions.

Division Property: a New Attack Against Block Ciphers

CPSC 467: Cryptography and Computer Security

Revisit and Cryptanalysis of a CAST Cipher

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Another view of the division property

Structural Evaluation by Generalized Integral Property

On the Security of NOEKEON against Side Channel Cube Attacks

Differential properties of power functions

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Analysis of Differential Attacks in ARX Constructions

SMASH - A Cryptographic Hash Function

Complementing Feistel Ciphers

Linear Analysis of Reduced-Round CubeHash

Linear Analysis of Reduced-Round CubeHash

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Quantum Differential and Linear Cryptanalysis

1 Cryptographic hash functions

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Crypto Engineering (GBX9SY03) Hash functions

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Sponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

The PHOTON Family of Lightweight Hash Functions

Similarities between encryption and decryption: how far can we go?

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Introduction to symmetric cryptography

Public-key Cryptography: Theory and Practice

Rotational Cryptanalysis of ARX Revisited

Known and Chosen Key Differential Distinguishers for Block Ciphers

Second-Order Differential Collisions for Reduced SHA-256

Innovations in permutation-based crypto

Linear Cryptanalysis of Reduced-Round PRESENT

CPSC 467: Cryptography and Computer Security

Bash-f: another LRX sponge function

A Five-Round Algebraic Property of the Advanced Encryption Standard

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

New Preimage Attacks Against Reduced SHA-1

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Extended Criterion for Absence of Fixed Points

SMASH - A Cryptographic Hash Function

Cryptanalysis of Luffa v2 Components

RadioGatún, a belt-and-mill hash function

Symmetric Crypto Systems

Computing the biases of parity-check relations

Foundations of Network and Computer Security

1 Cryptographic hash functions

Weaknesses in the HAS-V Compression Function

Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein

Table Of Contents. ! 1. Introduction to AES

Provable Security Against Differential and Linear Cryptanalysis

Optimized Interpolation Attacks on LowMC

Rebound Distinguishers: Results on the Full Whirlpool Compression Function

Rebound Attack on Reduced-Round Versions of JH

On the Salsa20 Core Function

Key Recovery Attack against 2.5-round π-cipher

Collision Attack on Boole

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

Security of Permutation-based Compression Function lp231

Provable Seconde Preimage Resistance Revisited

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Transcription:

Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51

Cryptographic Hash Functions H : {0,1} {0,1} n m H h = H(m) = 0111011000101...01 }{{} n bits Security properties: Preimage resistance (Complexity of the generic attack: 2 n ) Second-preimage resistance (Complexity of the generic attack: 2 n ) Collision resistance (Complexity of the generic attack: 2 n/2 ) Applications: password protection, digital signatures, key derivation, random number generation,... 2 / 51

Hash functions before 2004 MD4, MD5, SHA-0, SHA-1, SHA-2... Merkle-Damgård was normal way to build hashes. MD4 was known to be broken by Dobbertin, but still saw occasional use MD5 was known to have theoretical weaknesses from Den Boer/Bosselaers and Dobbertin, but still in wide use. SHA-0 was known to have weaknesses and wasn t used. SHA-1 was thought to be very strong. SHA-2 looked like the future, with security up to 256 bits. John Kelsey, NIST, August 2013 3 / 51

The NIST SHA-3 competition Devastating attacks against MD5, SHA-1,... by Wang et al. (2004) Lack of confidence in SHA-2 (standard). NIST launches in 2008 a public competition for defining a new standard. 64 submissions (October 2008) 51 first-round candidates 14 second-round candidates (July 2009) 5 finalists (December 2010) Winner of the competition (October 2012): Keccak SHA-3 standard: Draft FIPS PUB 202 (May 2014) 4 / 51

Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 5 / 51

Keccak s specifications Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 6 / 51

Keccak s specifications The Keccak team Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche STMicroelectronics, NXP Semiconductors 7 / 51

Keccak s specifications The sponge construction [Bertoni, Daemen, Peeters, Van Assche 08] m 1 m 2 m k z 1 z 2 z 3 r c 0 0... f f f f f... absorbing squeezing Variable input length, variable output length Fixed-length permutation (or transformation) Two parameters: bitrate r, capacity c, with r +c = b, where b is the size of the permutation. 8 / 51

Keccak s specifications Security Claims Traditionally, for fixed-length output functions, resistance to hash function attacks is expressed by means of the output length n. Sponges are variable-length output constructions. Define the strength of the construction, in function of some size parameters. 9 / 51

Keccak s specifications The sponge construction with capacity c Use the parameter c as an indicator for the security of the construction (flat sponge claim). No generic attacks below 2 c/2 (Unless easier generically). Collision: min(2 c/2,2 n/2 ) Preimage: min(2 c/2,2 n ) Second Preimage: min(2 c/2,2 n ) Performance and security trade-off. 10 / 51

Keccak s specifications The SHA-3 standard Based on the sponge construction with a fixed permutation of 1600 bits, called Keccak-f. Four SHA3 fixed-length hash functions: SHA3-{224, 256, 384, 512}, with c = 2n. Remplacements for SHA2 Two SHA3 XOFs (Extendable-Output Functions): SHAKE-256 SHAKE-512 (SHAKE = SHA + KEccak) 11 / 51

Keccak s specifications The Keccak-f permutation Keccak-f Permutation 1600-bit state, seen as a 3-dimensional 5 5 64 matrix 24 rounds R = ι χ π ρ θ Linear layer: L = π ρ θ. Nonlinear layer: 320 parallel applications of a 5 5 S-box χ 12 / 51

Keccak s specifications The θ transformation 4 4 a[x][y][z] a[x][y][z]+ a[x 1][y ][z]+ a[x+1][y ][z 1] y =0 y =0 13 / 51

Keccak s specifications The ρ transformation x = 3 x = 4 x = 0 x = 1 x = 2 y = 2 25 39 3 10 43 y = 1 55 20 36 44 6 y = 0 28 27 0 1 62 y = 4 56 14 18 2 61 y = 3 21 8 41 45 15 14 / 51

Keccak s specifications The π transformation 15 / 51

Keccak s specifications The χ transformation 320 parallel applications of a 5 5 bit Sbox. χ(x 0,x 1,x 2,x 3,x 4 ) = (x 0 +x 2 +x 1 x 2, x 1 +x 3 +x 2 x 3, x 2 +x 4 +x 3 x 4, x 3 +x 0 +x 4 x 0, x 4 +x 1 +x 0 x 1 ). Can be implemented by using an XOR, an AND and a NOT operation. 16 / 51

Keccak s specifications The ι transformation XOR of round-dependent constant to lane in origin Break symmetry: Without ι...... the round mapping would be symmetric rotational cryptanalysis?... all rounds would be the same slide attacks?...simple fixed points: (000 and 111) 17 / 51

Keccak s specifications The reasons for choosing Keccak High security margin Simple and elegant design Flexibility in choosing parameters Good performance in software (not as good as SHA2, Skein or BLAKE) but still more than acceptable Excellent performance in hardware (better than all the other candidates and better than SHA2!) Built-in authenticated-encryption mode Different design than SHA2 18 / 51

Algebraic properties of Keccak-f Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 19 / 51

Algebraic properties of Keccak-f Random behaviour of cryptographic primitives Cryptographic primitives should behave like random functions: A distinguishing property may be the starting point for some attacks. Security proofs of many constructions assume random building blocks. e.g. hermetic sponge strategy: the underlying permutation f of a sponge construction should not have any structural distinguishers. Does Keccak-f behave like a random permutation of F 1600 2? 20 / 51

Algebraic properties of Keccak-f Algebraic degree of a vectorial function F : F n 2 Fm 2 Example: F(x 0,x 1,x 2,x 3,x 4 ) = (x 0 +x 2 +x 4 +x 1 x 2 +x 1 x 4 +x 3 x 4 +x 1 x 3 x 4, x 0 +x 1 +x 3 +x 0 x 2 +x 0 x 4 +x 2 x 3 +x 0 x 2 x 4, x 1 +x 2 +x 4 +x 0 x 1 +x 1 x 3 +x 3 x 4 +x 0 x 1 x 3, x 0 +x 2 +x 3 +x 0 x 4 +x 1 x 2 +x 2 x 4 +x 1 x 2 x 4, x 1 +x 3 +x 4 +x 0 x 1 +x 0 x 3 +x 2 x 3 +x 0 x 2 x 3 ). 21 / 51

Algebraic properties of Keccak-f Algebraic degree of a vectorial function F : F n 2 Fm 2 Example: F(x 0,x 1,x 2,x 3,x 4 ) = (x 0 +x 2 +x 4 +x 1 x 2 +x 1 x 4 +x 3 x 4 +x 1 x 3 x 4, x 0 +x 1 +x 3 +x 0 x 2 +x 0 x 4 +x 2 x 3 +x 0 x 2 x 4, x 1 +x 2 +x 4 +x 0 x 1 +x 1 x 3 +x 3 x 4 +x 0 x 1 x 3, x 0 +x 2 +x 3 +x 0 x 4 +x 1 x 2 +x 2 x 4 +x 1 x 2 x 4, x 1 +x 3 +x 4 +x 0 x 1 +x 0 x 3 +x 2 x 3 +x 0 x 2 x 3 ). The algebraic degree of F is 3. 21 / 51

Algebraic properties of Keccak-f Some attacks exploiting a low algebraic degree Algebraic attacks Write the equations defining the primitive and try to solve the polynomial system. Cube attacks [Dinur-Shamir 08] The factor of some monomial depends linearly on the key bits. Higher-order differential attacks [Lai 94] [Knudsen 94] Let F : F n 2 Fn 2. For every subspace V with dimv > degf, D V F(x) = v V F(x+v) = 0, for every x F n 2. 22 / 51

Algebraic properties of Keccak-f Zero-Sums For block ciphers (known-key attack) [Knudsen - Rijmen 07] For hash functions [Aumasson - Meier 09, Boura - Canteaut 10] Definition Let F : F n 2 Fn 2. A zero-sum for F of size K is a subset {x 1,...,x K } F n 2 such that K x i = i=1 K F(x i ) = 0. i=1 Proposition. [Boura-Canteaut 10] For any function F, there exists at least a zero-sum of size 5. 23 / 51

Algebraic properties of Keccak-f Zero-Sum Partitions Definition Let P be a permutation from F n 2 Fn 2. A zero-sum partition for P of size K = 2 k is a collection of 2 n k disjoint zero-sums. 24 / 51

Algebraic properties of Keccak-f Exploiting a low algebraic degree P = R r R 1. Let F r t = R r R t+1 and G t = R1 1 R 1 Let V F n 2 with dimv > max(degf r t,degg t ). P t. G t F r t X a V +a P(X a ) X a = {G t (z +a),z V}, is a zero-sum partition of F n 2 of size 2dimV for P. x = G t (z +a) = D V G t (a) = 0 x X a z V P(x) = F r t (z +a) = D V F r t (a) = 0 x X a z V 25 / 51

Algebraic properties of Keccak-f Trivial bounds 24 rounds of a permutation R of degree 2 over F 1600 2 after r rounds, deg(r r ) 2 r What is usually expected a full degree after 11 rounds existence of zero-sum partitions up to 16 rounds of size 2 1025 : deg(r 10 ) 2 10 anddeg((r 1 ) 6 ) 3 6 R 16 R 6 R 10 X a V +a R 16 (X a ) 26 / 51

Algebraic properties of Keccak-f A new bound exploiting the structure of the non-linear layer χ χ χ χ Linear Layer χ χ χ χ Linear Layer χ χ χ χ Linear Layer 27 / 51

Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. 28 / 51

Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. Exemple (d = 13) deg(π) 2δ 5 +δ 3. 28 / 51

Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. Exemple (d = 13) deg(π) δ 5 +2δ 3 +δ 2. 28 / 51

Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. deg(π) avec x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 28 / 51

Algebraic properties of Keccak-f Bound on δ k For χ: δ k = maximal degree of the product of k coordinates of χ. k 1 2 3 4 5 δ k 2 4 5 5 5 29 / 51

Algebraic properties of Keccak-f Bound on δ k For χ: δ k = maximal degree of the product of k coordinates of χ. k 1 2 3 4 5 δ k 2 4 5 5 5 Proposition. If S is a permutation of F n 2, δ k = n if and only if k = n 29 / 51

Algebraic properties of Keccak-f Bound on δ k For χ: δ k = maximal degree of the product of k coordinates of χ. k 1 2 3 4 5 δ k 2 4 4 4 5 Proposition. If S is a permutation of F n 2, δ k = n if and only if k = n 29 / 51

Algebraic properties of Keccak-f A bound on the degree of SPN constructions [Boura Canteaut De Cannière FSE 2011] Theorem: Let F = (S,...,S) a permutation of F n 2 F n 0 2. Then with S defined over deg(g F) n n deg(g), γ(s) where n 0 k γ(s) = max 1 k n 0 1 n 0 δ k (S). 30 / 51

Algebraic properties of Keccak-f Application to Keccak-f We deduce 5 k γ(χ) = max 1 k 4 5 δ k (χ). k 1 2 3 4 5 δ k (χ) 2 4 4 4 5 ( 4 γ(χ) = max 3, 3 1, 2 1, 1 = 3 1) deg(r r ) 1600 1600 deg(rr 1 ) 3 31 / 51

Algebraic properties of Keccak-f r deg(r r ) 1 2 2 4 3 8 4 16 5 32 6 64 7 128 8 256 9 512 10 1024 11 1408 12 1536 13 1578 14 1592 15 1597 16 1599 32 / 51

Algebraic properties of Keccak-f Application to the inverse of Keccak-f Observation [Duan-Lai 11] γ(χ 1 5 k ) = max 1 k 4 5 δ k (χ 1 ). k 1 2 3 4 5 δ k (χ 1 ) 3 4 4 4 5 δ 2 (χ 1 ) = 3 33 / 51

Algebraic properties of Keccak-f Influence of the degree of the inverse Question: Is δ 2 (χ 1 ) related to deg(χ)? 34 / 51

Algebraic properties of Keccak-f Influence of the degree of the inverse Question: Is δ 2 (χ 1 ) related to deg(χ)? Theorem.[Boura-Canteaut 13] Let F be a permutation on F n 2. Then, for any integers k and l, δ l (F) < n k if and only if δ k (F 1 ) < n l. Case of Keccak: For F = χ 1, k = 1 and l = 2 δ 1 (χ) = 2 < 5 2 implies δ 2 (χ 1 ) < 5 1 = 4. 34 / 51

Algebraic properties of Keccak-f A new bound Theorem: Let F = (S,...,S) a permutation of F n 2 with S defined over F n 0 2. Then where We can prove that For the inverse of Keccak-f: deg(g F) n n deg(g), γ(s) n 0 k γ(s) = max 1 k n 0 1 n 0 δ k (S). ( n0 1 γ(s) max n 0 degs, n ) 0 2 1,deg(S 1 ) γ(χ 1 ) 2 35 / 51

Algebraic properties of Keccak-f r deg(r r ) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 3 9 27 81 243 729 1309 1503 1567 1589 1596 1598 1599 1599 1599 1599 deg(r r ) (improv.) 3 9 27 81 243 729 1164 1382 1491 1545 1572 1586 1593 1596 1598 1599 deg(rr ) 1600 1600 deg(rr 1 ) 2 36 / 51

Algebraic properties of Keccak-f Zero-sum partitions for full Keccak-f deg(r 12 ) 1536 deg((r 1 ) 11 ) 1572 X a = {(R 1 ) 11 (a+z), z V}, is a zero-sum partition of size 2 1575 for 24 rounds of Keccak-f. 37 / 51

Algebraic properties of Keccak-f Consequences? The security proof still holds if the inner permutation has a given structural property involving more than 2 c+1 2 input-output pairs. The existence of the zero-sum partitions pushed the authors to increase the number of rounds from 18 to 24. 38 / 51

Collision attacks against reduced-round Keccak Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 39 / 51

Collision attacks against reduced-round Keccak Summary of cryptanalysis results Target Attack Type Output Variant CF Call Reference Keccak-f Distinguisher all 24 rounds 2 1575 [Boura et al. and Duan-Lai 2011] Keccak-f Distinguisher all 8 rounds 2 491.47 [Duc et al. 2012] Keccak-f Distinguisher all 6 rounds 2 11 [Kuila et al. 2014] Hash function Distinguisher 224,256 4 rounds 2 25 [Naya-Plasencia et al. 2011] Hash function Collision 224, 256 2 rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage 224, 256 2 rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage 512 6 rounds 2 506 [Bernstein 2010] Hash Function 2nd preimage 512 7 rounds 2 507 [Bernstein 2010] Hash Function 2nd preimage 512 8 rounds 2 511.5 [Bernstein 2010] Hash Function Collision 224,256 4 rounds Example [Dinur et al. 2012] Hash Function Collision 256 5 rounds 2 115 [Dinur et al. 2013] Hash Function Collision 384 3 rounds Example [Dinur et al. 2013] Hash Function Collision 384 4 rounds 2 147 [Dinur et al. 2013] Hash Function Collision 512 3 rounds Example [Dinur et al. 2013] 40 / 51

Collision attacks against reduced-round Keccak Summary of cryptanalysis results Target Attack Type Output Variant CF Call Reference Keccak-f Distinguisher all 24 rounds 2 1575 [Boura et al. 2010] Keccak-f Distinguisher all 8 rounds 2 491.47 [Duc et al. 2012] Keccak-f Distinguisher all 6 rounds 2 11 [Kuila et al. 2014] Hash function Distinguisher 224,256 4 rounds 2 25 [Naya-Plasencia et al. 2011] Hash function Collision 224, 256 2 rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage 224, 256 2 rounds Example [Naya-Plasencia et al. 2011] Hash function 2nd preimage 512 6 rounds 2 506 [Bernstein 2010] Hash function 2nd preimage 512 7 rounds 2 507 [Bernstein 2010] Hash function 2nd preimage 512 8 rounds 2 511.5 [Bernstein 2010] Hash Function Collision 224,256 4 rounds Example [Dinur et al. 2012] Hash Function Collision 256 5 rounds 2 115 [Dinur et al. 2013] Hash Function Collision 384 3 rounds Example [Dinur et al. 2013] Hash Function Collision 384 4 rounds 2 147 [Dinur et al. 2013] Hash Function Collision 512 3 rounds Example [Dinur et al. 2013] 40 / 51

Collision attacks against reduced-round Keccak Summary of cryptanalysis results Target Attack Type Output Variant CF Call Reference Keccak-f Distinguisher all 24 rounds 2 1575 [Boura et al. 2010] Keccak-f Distinguisher all 8 rounds 2 491.47 [Duc et al. 2012] Keccak-f Distinguisher all 6 rounds 2 11 [Kuila et al. 2014] Hash function Distinguisher 224,256 4 rounds 2 25 [Naya-Plasencia et al. 2011] Hash function Collision 224, 256 2 rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage 224, 256 2 rounds Example [Naya-Plasencia et al. 2011] Hash function 2nd preimage 512 6 rounds 2 506 [Bernstein 2010] Hash function 2nd preimage 512 7 rounds 2 507 [Bernstein 2010] Hash function 2nd preimage 512 8 rounds 2 511.5 [Bernstein 2010] Hash Function Collision 224,256 4 rounds Example [Dinur et al. 2012] Hash Function Collision 256 5 rounds 2 115 [Dinur et al. 2013] Hash Function Collision 384 3 rounds Example [Dinur et al. 2013] Hash Function Collision 384 4 rounds 2 147 [Dinur et al. 2013] Hash Function Collision 512 3 rounds Example [Dinur et al. 2013] 40 / 51

Collision attacks against reduced-round Keccak Practical collision attacks against reduced-round Keccak Practical Analysis of Reduced-Round Keccak, M. Naya-Plasencia, A. Röck and W. Meier, Indocrypt 2011. Exploit the Column Parity Kernel (CP-Kernel) leading to 2-round low Hamming weight characteristics Practical collisions and second-preimage for 2-round Keccak-{224,256} New attacks on Keccak-224 and Keccak-256, I. Dinur, O. Dunkelman and A. Shamir, FSE 2012. Extend the previous 2-round CP-Kernel characteristics. Exploit that χ is of degree 2. Practical collisions for 4-round Keccak-{224,256}. 41 / 51

Collision attacks against reduced-round Keccak Differential cryptanalysis Introduced by Biham and Shamir in 1990. Based on the notion of differentials (δ in δ out ). Let F : F n 2 Fn 2 : x F y δ in δ out x+δ in F x+δ out DP F (δ in δ out ) = {(x,x ) : x x = δ in and F(x) F(x ) = δ out } 2 n 42 / 51

Collision attacks against reduced-round Keccak Differential characteristics Let F = f r. δ 1 δ in = δ 0 δ 2 δ 3 δ4 = δ out r 1 DP F (δ 0 δ r ) = DP f (δ i δ i+1 ). i=0 Differential characteristics of high probability can be used as distinguishers, lead to key-recovery attacks (in block ciphers), collision attacks (in hash functions). 43 / 51

Collision attacks against reduced-round Keccak Low Hamming-weight characteristics Crucial transformations : θ, and χ Properties of θ: Column Parity Kernel (Keccak team) : For states in which all columns have even parity, θ is the identity. Lowest Hamming weight for states in CP-kernel: 2. 44 / 51

Collision attacks against reduced-round Keccak Low Hamming-weight characteristics Crucial transformations : θ, and χ Properties of θ: Column Parity Kernel (Keccak team) : For states in which all columns have even parity, θ is the identity. Lowest Hamming weight for states in CP-kernel: 2. 44 / 51

Collision attacks against reduced-round Keccak Low Hamming-weight characteristics Crucial transformations : θ, and χ Properties of θ: Column Parity Kernel (Keccak team) : For states in which all columns have even parity, θ is the identity. Lowest Hamming weight for states in CP-kernel: 2. Properties of χ: 1-bit differences stay the same with probability 2 2. 44 / 51

Collision attacks against reduced-round Keccak Searching for double kernels Image from [Naya-Plasencia, Röck, Meier, 2011] 45 / 51

Collision attacks against reduced-round Keccak Collisions on 2-round Keccak-256 Initial differences in the message part. 2-round 4-slice characteristics of weight 16. probability 2 32 Output difference δ out not in the hash part. 46 / 51

Collision attacks against reduced-round Keccak Practical Collisions for 4-round Keccak-{224,256} [Dinur, Dunkelman, Shamir 2012] Target difference algorithm 1 round Characteristic extended backwards 1 round High probability differential characteristic δ in δ out 2 rounds Use the two-round low Hamming weight differential characteristics found in [Naya-Plasencia, Röck, Meier 2011]. Place them after the second round and extend one round backwards (target difference). Find message pairs having the target difference after one round of Keccak-f. 47 / 51

Collision attacks against reduced-round Keccak Extending one round backwards: The θ effect Inverse of θ: Applying θ 1 to a difference with a single active bit results in a difference with about half of the bits active. 48 / 51

Collision attacks against reduced-round Keccak Link to the target difference 0 Target difference Controlable part 49 / 51

Collision attacks against reduced-round Keccak The target difference algorithm Two problems to deal with: 1 The target difference is extended backwards with very low probability. 2 Initial state has many bits fixed to a certain value. But: Many available degrees of freedom Method: χ function of degree 2, so when differentiating once has to deal with a linear system. 50 / 51

Collision attacks against reduced-round Keccak Conclusions Efforts of the cryptographic community concentrated on the security analysis of SHA-3. Analyze equally the security of keyed versions (recent cube attacks) and of other constructions based on Keccak-f. Analyse Keccak with smaller permutation sizes (use in constrained devices). SHA-3 seems to have a (very) big security margin. 51 / 51

Collision attacks against reduced-round Keccak Conclusions Efforts of the cryptographic community concentrated on the security analysis of SHA-3. Analyze equally the security of keyed versions (recent cube attacks) and of other constructions based on Keccak-f. Analyse Keccak with smaller permutation sizes (use in constrained devices). SHA-3 seems to have a (very) big security margin. Thank you for your attention! 51 / 51

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback