A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function

Similar documents
Cryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway

NORWAY

Pseudo-cryptanalysis of the Original Blue Midnight Wish

Cryptographic Hash Function

Analysis of Some Quasigroup Transformations as Boolean Functions

Collision Attack on Boole

Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions

Chapter 2. Matrix Arithmetic. Chapter 2

Cryptanalysis of EnRUPT

Cryptanalysis of Luffa v2 Components

Practical Near-Collisions on the Compression Function of BMW

Experiment 7: Magnitude comparators

Lectures on Linear Algebra for IT

Matrix Arithmetic. (Multidimensional Math) Institute for Advanced Analytics. Shaina Race, PhD

AES side channel attacks protection using random isomorphisms

Testing the Properties of Large Quasigroups

Key Recovery Attack against 2.5-round π-cipher

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Elementary maths for GMT

Characterization of Column Parity Kernel and Differential Cryptanalysis of Keccak

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Cryptographic Hash Function

Chapter 4 Systems of Linear Equations; Matrices

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

LINEAR ALGEBRA KNOWLEDGE SURVEY

Chapter 2 Notes, Linear Algebra 5e Lay

Structural Cryptanalysis of SASAS

HASH FUNCTIONS 1 /62

Extended Criterion for Absence of Fixed Points

Analysis of cryptographic hash functions

Quantum Preimage and Collision Attacks on CubeHash

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS. + + x 1 x 2. x n 8 (4) 3 4 2

Structural Evaluation by Generalized Integral Property

On periods of Edon-(2m, 2k) Family of Stream Ciphers

Avoiding collisions Cryptographic hash functions. Table of contents

Getting Started with Communications Engineering

The Differential Analysis of S-functions,

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

chapter 12 MORE MATRIX ALGEBRA 12.1 Systems of Linear Equations GOALS

Review of Basic Concepts in Linear Algebra

Improved Collision Attack on MD5

HASH FUNCTIONS. Mihir Bellare UCSD 1

Higher-order differential properties of Keccak and Luffa

The Hash Function JH 1

Roberto s Notes on Linear Algebra Chapter 10: Eigenvalues and diagonalization Section 3. Diagonal matrices

A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

The Singular Value Decomposition (SVD) and Principal Component Analysis (PCA)

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

New attacks on Keccak-224 and Keccak-256

Topics. Vectors (column matrices): Vector addition and scalar multiplication The matrix of a linear function y Ax The elements of a matrix A : A ij

Conventional Matrix Operations

Elementary Linear Algebra

Cryptographic Hash Functions Part II

Lectures on Linear Algebra for IT

x + 2y + 3z = 8 x + 3y = 7 x + 2z = 3

Things we can already do with matrices. Unit II - Matrix arithmetic. Defining the matrix product. Things that fail in matrix arithmetic

Cryptanalysis of Achterbahn

Cube Test Analysis of the Statistical Behavior of CubeHash and Skein

Matrices and systems of linear equations

GAUSSIAN ELIMINATION AND LU DECOMPOSITION (SUPPLEMENT FOR MA511)

ORIE 6300 Mathematical Programming I August 25, Recitation 1

Higher-order differential properties of Keccak and Luffa

LOOKING INSIDE AES AND BES

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

MA 138 Calculus 2 with Life Science Applications Matrices (Section 9.2)

An algorithm for judging and generating multivariate quadratic quasigroups over Galois fields

An Improved Fast and Secure Hash Algorithm

Large Quasigroups in Cryptography and their Properties Testing

Linear Algebra, Summer 2011, pt. 2

EE731 Lecture Notes: Matrix Computations for Signal Processing

Lecture 4: DES and block ciphers

Elementary Matrices. which is obtained by multiplying the first row of I 3 by -1, and

Basic Concepts in Linear Algebra

How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis

Linear Equations and Matrix

HOUSEHOLDER REDUCTION

2.1 Matrices. 3 5 Solve for the variables in the following matrix equation.

Beyond the MD5 Collisions

POLI270 - Linear Algebra

8-15. Stop by or call (630)

Linear Algebra V = T = ( 4 3 ).

Hash Functions and Gröbner Bases Cryptanalysis

Multivariate Statistical Analysis

Impossible Differential Cryptanalysis of Mini-AES

A Scalable and Provably Secure Hash-Based RFID Protocol

Security Analysis of the Compression Function of Lesamnta and its Impact

Introduction to Matrix Algebra

is a 3 4 matrix. It has 3 rows and 4 columns. The first row is the horizontal row [ ]

Name: Matriculation Number: Tutorial Group: A B C D E

Multivariate Distributions

JUST THE MATHS UNIT NUMBER 9.3. MATRICES 3 (Matrix inversion & simultaneous equations) A.J.Hobson

Lecture 6, Sci. Comp. for DPhil Students

Genetic Search for Quasigroups with Heterogeneous Power Sequences

MATH 315 Linear Algebra Homework #1 Assigned: August 20, 2018

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Preface. Figures Figures appearing in the text were prepared using MATLAB R. For product information, please contact:

Mon Feb Matrix algebra and matrix inverses. Announcements: Warm-up Exercise:

Math 360 Linear Algebra Fall Class Notes. a a a a a a. a a a

MAT2342 : Introduction to Applied Linear Algebra Mike Newman, fall Projections. introduction

Transcription:

A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function Vlastimil Klima 1 and Petr Susil 2 1 Independent cryptologist - consultant, Czech Republic v.klima@volny.cz 2 EPFL PhD student susil.petr@gmail.com Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMW lin, which is an affine transformation. In this paper we consider only a BMW lin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMW lin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds 1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds 1 tends to increase randomness as was intended by designers. These observations hold for both BMW 256 lin and BMW 512 lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow. 1 Introduction The BMW algorithm [3] is of the type AXR, since it uses only operations XOR, ADD (sub) and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMW lin, which is an affine transformation. In this paper we consider only a BMW lin and its building blocks. These are affine transformations, which can be represented by matrices. We present the rank and the structure of these binary matrices. Main

Fig. 1. The scheme of (tweaked) BMW [2] blocks of BMW are f 0, f 1, f 2, they produce three intermediate values Q a,q b, G, and a chaining value H. All these variables consist of 16 w- bit words. The variables depend only on the input block M and an old hash value H. These dependencies will be shown in matrices. Note the rank and the structure for each matrix. We will also present matrices for different values of security parameter ExpandRounds 1 (values between

0 and 16). Let us remind the reader that after ExpandRounds 1 rounds of the function expand 1 there follow (16 ExpandRounds 1 ) rounds of the function expand 2 [3]. For the simplicity of this paper we suppose that the reader is familiar with the basic description of BMW [3]. We use a simple notation H, but whenever a misunderstanding is possible we distinguish between oldh and newh. Our observations and conclusions hold for both BMW 256 lin and BMW 512 lin, but we present results only for BMW 256 lin. In the following picture we can see linear dependencies between M and Q a. There are two matrices of the type 512 512 (separated by a black stripe) which we denote (M, Q a ). The columns represent 512 variables (bits) of M on the left side and 512 variables (bits) of Q a on the right side. Lines represents linear equations between bits on the left side (M) and on the right side (Q a ). Since the matrix on the right is an identity matrix, it gives us direct expressions for bits of Q a with variables from M. Every line can be expressed as a linear equation: i Left x i = j Right y j. Indexes of bits which are included in the equation are denoted as black dots. In the picture we can see (among other things) dependencies of the first word of Q a on five words of M, which follows from the transformation A 1 in [3]. Fig. 2. Example of dependencies between variables (bits) of M and Q a, denoted as (M, Q a) In the Fig. 2 we can see the dependency of Q a on M. To get the dependency of M on Q a, we need to find an inverse matrix. As we know from linear algebra, xoring one line with another or changing the order of

lines does not change the rank of the matrix. Using these two operation in our elimination algorithm we transform the pair of matrices (A, I) to (I, A ), where I is an identity matrix and I is identity matrix if A has a full rank. If I is an identity matrix then matrix A gives dependencies of M on Q a, as is shown in the following picture. If the matrix A is singular, the matrix I will have nonempty columns above the diagonal. The variable (bit), which corresponds to this nonempty column, creates linear dependencies only with other variables (bits) in the matrix, see for instance Fig. 4 (Zoom on matrix with rank = MAX-1). The most important dependencies are shown in the following section. Fig. 3. (M, Q a) - dependency between M and Q a Elimination algorithm - transformation of (A, I) to (I, A ): Input: boolean matrix A[LEN][LEN] Output: pair of boolean matrices (I,A ) var boolean matrix I[LEN][LEN], where I[i][j]=1 if i==j and I[i][j]=0 otherwise for i=1 to LEN begin if A[i][i] then for all j!= i and A[j][i] //add line i to line j in (A, I) for all k A[j][k] = A[j][k] + A[i][k] and I[j][k] = I[j][k] + I[i][k]; else

for all j > i if A[j][i] //switch line j and i in (A, I) for all k switch values A[j][k] and A[i][k] and I[j][k] and I[i][k] go to begin (without increasing i) or go to end (if i = LEN) end output (A,I) Fig. 4. Zoom on matrix with rank = MAX-1 2 Dependency of Q a on M We can see the dependency in the Fig. 2 and 3. Note that matrices do not depend on the value ExpandRounds 1, since Q a is created before the function f 1. Rank of matrix (M, Q a ) is 512 i.e. the matrix has a full rank.

3 Dependency of Q a on H Also rank of matrix (H, Q a ) is 512. Note that the matrix expresses the dependence in the block f 0, so it does not depend on the value ExpandRounds 1. Fig. 5. (H, Q a) Fig. 6. (H, Q a)

4 Dependency of Q b on M We can see here for the first time that matrices do not have full rank and that increasing the number of rounds ExpandRounds 1 tends to increase the randomness in dependencies. Since all other dependencies (among other variables) are similar, in next sections we will show only ranks of matrices. ExpandRounds 1 0 1 2 3 4 5 6 7 8 Rank(M, Q b ) 511 512 512 510 511 512 512 511 510 ExpandRounds 1 9 10 11 12 13 14 15 16 Rank(M, Q b ) 511 511 512 512 510 512 511 510 Fig. 7. (M, Q b ), ExpandRounds 1=0

Fig. 8. (M, Q b ), ExpandRounds 1=2 Fig. 9. (M, Q b ), ExpandRounds 1=16

Fig. 10. (M, Q b ), ExpandRounds 1=0 Fig. 11. (M, Q b ), ExpandRounds 1=2 Fig. 12. (M, Q b ), ExpandRounds 1=16

5 Dependency of Q b on oldh ExpandRounds 1 0 1 2 3 4 5 6 7 8 Rank(oldH, Q b ) 512 510 509 511 511 511 511 510 512 ExpandRounds 1 9 10 11 12 13 14 15 16 Rank(oldH, Q b ) 511 511 512 510 511 512 511 511 Fig. 13. (oldh, Q b ), ExpandRounds 1=0

Fig. 14. (oldh, Q b ), ExpandRounds 1=2 Fig. 15. (oldh, Q b ), ExpandRounds 1=16

6 Dependency of G on M ExpandRounds 1 0 1 2 3 4 5 6 7 8 Rank(M, G) 512 510 511 512 510 511 510 512 511 ExpandRounds 1 9 10 11 12 13 14 15 16 Rank(M, G) 510 510 510 511 512 512 510 511 Fig. 16. (M, G), ExpandRounds 1=2 Fig. 17. (M, G), ExpandRounds 1=2

7 Dependency of G on oldh ExpandRounds 1 0 1 2 3 4 5 6 7 8 Rank(oldH, G) 511 511 510 511 511 511 512 511 511 ExpandRounds 1 9 10 11 12 13 14 15 16 Rank(oldH, G) 512 510 510 511 512 512 511 511 Fig. 18. (oldh, G), ExpandRounds 1=2 Fig. 19. (oldh, G), ExpandRounds 1=2

8 Dependency of newh on M ExpandRounds 1 0 1 2 3 4 5 6 7 8 Rank(oldH, G) 512 510 511 512 510 511 510 512 511 ExpandRounds 1 9 10 11 12 13 14 15 16 Rank(oldH, G) 510 510 510 511 512 512 510 511 Fig. 20. (M, newh), ExpandRounds 1=2 Fig. 21. (M, newh), ExpandRounds 1=2

9 Dependency of newh on oldh ExpandRounds 1 0 1 2 3 4 5 6 7 8 Rank(oldH, newh) 511 511 510 511 511 511 512 511 511 ExpandRounds 1 9 10 11 12 13 14 15 16 Rank(oldH, newh) 512 510 510 511 512 512 511 511 Fig. 22. (oldh, newh), ExpandRounds 1=2 Fig. 23. (oldh, newh), ExpandRounds 1=2

10 Conclusion Results presented in this paper are only a small part of analysis which has been performed. As the reader has noticed, only variables M and H have been used as inputs for BMW lin. However, some elementary/main blocks can be analyzed separately, which would give a better insight into the structure of BMW hash function. Results of the complete analysis will follow. In this paper all dependencies form matrices with a full or an almost full rank. The structure of these matrices was expected as well. Matrices of elementary blocks have a non random structure, but they fulfill requirements to mix variables (bits) fast. Matrices of main blocks have a full or an almost full rank and a random structure. We observed that if it is required (and possible) to increase randomness, it can be done by increasing the number of rounds ExpandRounds 1. These observations hold for both versions BMW256 and BMW512. References 1. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family, 2007, NIST, http://csrc.nist.gov/groups/st/hash/index.html. 2. Vlastimil Klima and Danilo Gligoroski, On BLUE MIDNIGHT WISH decomposition, to be published 3. Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and Joørn Amundsen and Stig Frode Mjølsnes, Cryptographic Hash Function BLUE MIDNIGHT WISH. Submission to NIST, September 15, 2009. http://people.item.ntnu.no/ danilog/hash/bmw-secondround/ Supporting Documentation/BlueMidnightWishDocumentation.pdf

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback