analysis of kupyna
play

Analysis of Kupyna Christoph Dobraunig Maria Eichlseder Florian - PowerPoint PPT Presentation

Oct 02, 2023 •288 likes •664 views

Analysis of Kupyna Christoph Dobraunig Maria Eichlseder Florian Mendel ASK 2015 www.iaik.tugraz.at The Kupyna Hash Function www.iaik.tugraz.at The Kupyna Hash Function Defined in the Ukrainian standard DSTU 7564:2014 Replacement for GOST R

  1. Analysis of Kupyna Christoph Dobraunig Maria Eichlseder Florian Mendel ASK 2015

  2. www.iaik.tugraz.at The Kupyna Hash Function

  3. www.iaik.tugraz.at The Kupyna Hash Function Defined in the Ukrainian standard DSTU 7564:2014 Replacement for GOST R 34.11-94 Design is similar to Grøstl 1 / 29

  4. www.iaik.tugraz.at The Kupyna Hash Function m 1 m 2 m t f f f Ω IV hash n 2 n 2 n 2 n Iterated hash function Wide-pipe design Merkle-Damg˚ ard design principle Strong output transformation 2 / 29

  5. www.iaik.tugraz.at The Kupyna Compression Function m i T + 2 n h i � 1 h i T � 2 n 2 n Permutation based design similar to Grøstl 8 × 8 state and 10 rounds for Kupyna-256 8 × 16 state and 14 rounds for Kupyna-512 3 / 29

  6. www.iaik.tugraz.at The Kupyna-256 Round Transformations SubBytes ShiftBytes MixBytes AddConstant f3 f3 f3 f3 f3 f3 f3 f3 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 S f0 f0 f0 f0 f0 f0 f0 f0 T + : f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f i e i d i c i b i a i 9 i 8 i 0 i 1 i 2 i 3 i 4 i 5 i 6 i 7 i S T � : AES-like round transformation r i = MB � SH � SB � AC 4 / 29

  7. www.iaik.tugraz.at Analysis of Kupyna

  8. www.iaik.tugraz.at Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis Initiated by the design team itself ! rebound attack Several improvements have been made Internal differential attack Zero-sum distinguisher Meet-in-the-middle attacks . . . 5 / 29

  9. www.iaik.tugraz.at Existing Analysis of Grøstl F. Mendel, T. Peyrin, C. Rechberger, and M. Schl¨ affer Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Selected Areas in Cryptography 2009 F. Mendel, C. Rechberger, M. Schl¨ affer, and S. S. Thomsen The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl FSE 2009 H. Gilbert and T. Peyrin Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations FSE 2010 K. Ideguchi, E. Tischhauser, and B. Preneel Improved Collision Attacks on the Reduced-Round Grøstl Hash Function ISC 2010 F. Mendel, C. Rechberger, M. Schl¨ affer, and S. S. Thomsen Rebound Attacks on the Reduced Grøstl Hash Function CT-RSA 2010 6 / 29

  10. www.iaik.tugraz.at Existing Analysis of Grøstl T. Peyrin Improved Differential Attacks for ECHO and Grøstl CRYPTO 2010 Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, and K. Ohta Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl ASIACRYPT 2010 C. Boura, A. Canteaut, and C. De Canni` ere Higher-Order Differential Properties of Keccak and Luffa FSE 2011 M. Schl¨ affer Updated Differential Analysis of Grøstl 2011 J. Jean, M. Naya-Plasencia, and T. Peyrin Improved Rebound Attack on the Finalist Grøstl FSE 2012 7 / 29

  11. www.iaik.tugraz.at Existing Analysis of Grøstl S. Wu, D. Feng, W. Wu, J. Guo, L. Dong, and J. Zou (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others FSE 2012 J. Jean, M. Naya-Plasencia, and T. Peyrin Multiple Limited-Birthday Distinguishers and Applications Selected Areas in Cryptography 2013 M. Minier and G. Thomas An Integral Distinguisher on Grøstl-512 INDOCRYPT 2013 F. Mendel, V. Rijmen, and M. Schl¨ affer Collision Attack on 5 Rounds of Grøstl FSE 2014 Y. Sasaki, Y. Tokushige, L. Wang, M. Iwamoto, and K. Ohta An Automated Evaluation Tool for Improved Rebound Attack: New Distinguishers and Proposals of ShiftBytes Parameters for Grøstl CT-RSA 2014 8 / 29

  12. www.iaik.tugraz.at The Rebound Attack E bw E in E fw inbound outbound outbound Inbound phase efficient meet-in-the-middle phase in E in using available degrees of freedom Outbound phase probabilistic part in E bw and E fw repeat inbound phase if needed 9 / 29

  13. www.iaik.tugraz.at Attack on the Compression Function

  14. www.iaik.tugraz.at Basic Attack Strategy ∆ T + T � semi-free-start collision: f ( h i � 1 , m i ) = f ( h i � 1 , m ⇤ i ) , m i 6 = m ⇤ i arbitrary h i � 1 10 / 29

  15. www.iaik.tugraz.at Attack on 6 Rounds In the attack we use the same truncated differential trail in both permutations T � and T + : r 1 r 2 r 3 r 4 r 5 r 6 8 � ! 8 � ! 64 � ! 64 � ! 8 � ! 8 � ! 64 AC AC AC AC AC AC m 1 SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB AC AC AC AC AC AC SB SB SB SB SB SB h 0 h 1 RB RB RB RB RB RB MB MB MB MB MB MB 11 / 29

  16. www.iaik.tugraz.at Rebound attack for T � AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB outbound inbound outbound Inbound phase start with differences in round 2 and 4 match-in-the-middle using values of the state Outbound phase uses truncated differentials probabilistic propagation in MixBytes 12 / 29

  17. www.iaik.tugraz.at Inbound phase for T � match ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a ca cc 45 13 56 94 2a f1 91 26 85 50 6d 9a 49 43 c5 c0 SB a2 47 d3 7b 3f 79 5c 62 a5 0d cc 01 0a 70 43 e9 27 e6 MB MB RB 72 cd 3d 83 11 76 ab b4 c8 a2 b1 63 11 96 1e 4d 04 b9 AC 73 45 f2 54 2f 21 a6 1c d2 b1 60 20 f4 1e cd bf 10 5a AC MB RB ff b5 26 9f 3a 94 67 ef 3f f8 ed 85 b7 43 5a d5 fc 8c SB f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences Start with arbitrary differences in round 2 and 4 Match-in-the-middle at SuperBox ( SB � MB � AC � SB ) with complexity 2 64 we get ∼ 1 right pairs time-memory trade-off with T · M = 2 128 with T ≥ 2 64 ) 2 64 solutions with complexity of 2 64 (amortized cost 1) 13 / 29

  18. www.iaik.tugraz.at Outbound phase for T � AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB outbound inbound outbound Propagate through MixBytes of round 1, 5 and 6 using truncated differences (active bytes: 8 → 8 resp. 1 → 8) probability: 1 in each direction ) 2 64 solutions following the differential trail with compexity 2 64 14 / 29

  19. www.iaik.tugraz.at Rebound attack for T + AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB outbound inbound outbound AddConstant ( AC ) modular addition destroys the byte-alignment complicates the application of the attack 15 / 29

  20. www.iaik.tugraz.at Inbound phase for T + match ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a AC 13 56 94 ca 2a f1 cc 45 91 26 85 50 6d 9a 49 43 c5 c0 RB a2 47 d3 7b 3f 79 5c 62 a5 0d cc 01 0a 70 43 e9 27 e6 SB RB 72 cd 3d 83 11 76 ab b4 c8 a2 b1 63 11 96 1e 4d 04 b9 MB 73 45 f2 54 2f 21 a6 1c d2 b1 60 20 f4 1e cd bf 10 5a MB MB ff b5 26 9f 3a 94 67 ef 3f f8 ed 85 b7 43 5a d5 fc 8c AC f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 SB 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences Start with arbitrary differences in round 2 and 4 Match-in-the-middle ( AC � RB � SB � MB � AC � SB ) first AC creates dependences between SuperBoxes only consider inputs that never (resp. always) result in a carry 16 / 29

  21. www.iaik.tugraz.at Number of solutions Byte 0: x + F3 > FF ! 243 solutions Byte 1: x + 1 + F0 > FF ! 241 solutions . . . Byte position Valid values Valid pairs (average) Byte 0 243 230.6 Byte 1–6 241 226.8 Byte 7 256 256 ) 2 54 . 4 solutions in total (cost 2 63 . 4 ) 17 / 29

  22. www.iaik.tugraz.at Outbound phase for T � AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB outbound inbound outbound Propagate through MixBytes in round 1, 5 and 6 probability: 1 (same as for T ⊕ ) Propagate through AddConstant in round 1, 2, 5 and 6 probability: 2 − 2 . 45 ) 2 51 . 95 solutions following the differential trail with complexity 2 63 . 4 18 / 29

  23. www.iaik.tugraz.at Attack on 6 Rounds AC AC AC AC AC AC m 1 SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB AC AC AC AC AC AC SB SB SB SB SB SB h 0 h 1 RB RB RB RB RB RB MB MB MB MB MB MB Construct 2 a pairs following the differential trail in T � one solution with amortized cost 1 Construct 2 128 � a pairs following the differential trail in T + one solution with amortized cost 2 11 . 55 ) semi-free-start collision with complexity 2 69 . 8 (for a = 69 . 8) 19 / 29

  24. www.iaik.tugraz.at Extending the Attack to 7 Rounds Sequence of active SBoxes: r 1 r 2 r 3 r 4 r 5 r 6 r 7 8 � ! 8 � ! 64 � ! 64 � ! 8 � ! 1 � ! 8 � ! 64 Inbound phase is the same as before Outbound phase is extended by one round (probability: 2 � 56 ) ) semi-free-start collision with complexity 2 125 . 8 20 / 29

  25. www.iaik.tugraz.at Attacks on Kupyna-256 Compression Function rounds complexity memory 2 69 . 8 2 64 6 2 125 . 8 2 64 7 21 / 29

  26. www.iaik.tugraz.at Attack on the Hash Function

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction Technical analysis is the attempt to forecast stock prices on the basis of market-derived data. Technicians (also known as quantitative analysts or

853 views • 73 slides
T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task

T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task

T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task decomp osition kno wledge based analysis en tit y-relati onshi p tec hniques Sources of Information Uses of T ask Analysis

398 views • 27 slides
Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also

Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also

Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also known as charting, is an attempt to predict future prices, by studying the trading history of a traded security (currencies, equities, commodities,

473 views • 44 slides
various analysis, and all necessary analysis tools

various analysis, and all necessary analysis tools

Analysis page includes topics for analysis, descriptions of various analysis, and all necessary analysis tools

512 views • 9 slides
DESIGN & ANALYSIS METHODS DESIGN & ANALYSIS METHODS FOR DESIGN & ANALYSIS METHODS

DESIGN & ANALYSIS METHODS DESIGN & ANALYSIS METHODS FOR DESIGN & ANALYSIS METHODS

SNAME Philadelphia Section Meeting May 2013 y USA (originally presented at MTU Naval Symposium, September 2011, GERMANY) DESIGN & ANALYSIS METHODS DESIGN & ANALYSIS METHODS FOR DESIGN & ANALYSIS METHODS DESIGN & ANALYSIS

1.11k views • 80 slides
. . . . . . . . . . . . . . . . . . . . . Let denote an average .

. . . . . . . . . . . . . . . . . . . . . Let denote an average .

Overview Factor Analysis and Beyond Principal Components Analysis Factor Analysis Independent Components Analysis Chris Williams Non-linear Factor Analysis School of Informatics, University of Edinburgh Reading: Handout on

206 views • 7 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572

Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572

Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572 (BIOS 572 / BIOE 564) - Fall 2013 Luay Nakhleh, Rice University 1 Flux Balance Analysis (FBA) Flux balance analysis (FBA), an optimality-base

955 views • 52 slides
SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT Analysis? Aim of SWOT Analysis Who needs SWOT Analysis? How to conduct SWOT Analysis? Benefits & Pitfalls of SWOT Analysis Brainstorming

445 views • 31 slides
ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis?

ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis?

ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis? Examples of ROT content Why conduct a ROT Analysis? Steps in conducting an analysis Writing for the web Questions What is a ROT analysis?

491 views • 17 slides
The Deliverables of Gap Analysis Conducted by NAMA: To Provide a Comprehensive Gap Analysis

The Deliverables of Gap Analysis Conducted by NAMA: To Provide a Comprehensive Gap Analysis

1 Infrastructure Gap Analysis and Aviation Master Planning ICAO WORKSHOP ON AVIATION INFRASTRUCTURE GAP ANALYSIS ABUJA, NIGERIA Aviation Infrastructure Gap Analysis and Master Plan Development Process - Exchange of experiences and lessons

408 views • 40 slides
Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega big-theta asymptotic notation commonly used functions discrete math

500 views • 33 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis Amortized analysis averages the time required to perform a sequence of operations on a data structure over all the operations performed An

2.15k views • 56 slides
ASTR 1040 Recitation: Cosmic Distance Ryan Orvedahl Department of Astrophysical and Planetary

ASTR 1040 Recitation: Cosmic Distance Ryan Orvedahl Department of Astrophysical and Planetary

ASTR 1040 Recitation: Cosmic Distance Ryan Orvedahl Department of Astrophysical and Planetary Sciences April 7 & 9, 2014 This Week Night Observing: Wednesday April 9 (8:30 pm) Fiske Planetarium: Thursday April 10 (9:30 am) Heliostat

405 views • 28 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
Meggy Jr Simple and AVR Last time Compiling and running MeggyJava examples as Java only Today

Meggy Jr Simple and AVR Last time Compiling and running MeggyJava examples as Java only Today

Meggy Jr Simple and AVR Last time Compiling and running MeggyJava examples as Java only Today Cool MiniSVG examples Meggy Jr Simple library avr-gcc tool chain and provided Makefile ATmega328p chip avr assembly CS453

238 views • 4 slides
Starting Them Early: Science Learning in Pre-K & Early Elementary November 20, 2008

Starting Them Early: Science Learning in Pre-K & Early Elementary November 20, 2008

Starting Them Early: Science Learning in Pre-K & Early Elementary November 20, 2008 Workshop Presenters: Anne Gurnee and Mia Jackson Foundation for Family Science www.familyscience.org The new research shows that babies and young

204 views • 17 slides
omework #6 on Mas ring As onom due on Tuesday, ov. 03, by 5p If your CU

omework #6 on Mas ring As onom due on Tuesday, ov. 03, by 5p If your CU

ASTR 1120 ASTR 1120 General Astronomy: General Astronomy: Stars & Galaxies Stars & Galaxies omework #6 on Mas ring As onom due on Tuesday, ov. 03, by 5p If your CU clicker grade is 0 and you have been in class,

830 views • 43 slides
Promoting environmental physics issues in science centers and at science-events Alpr Vrs 1 ,

Promoting environmental physics issues in science centers and at science-events Alpr Vrs 1 ,

Promoting environmental physics issues in science centers and at science-events Alpr Vrs 1 , Zsuzsa Srkzi 2 1 Apczai Csere Jnos Highschool, Cluj-Napoca, Romania 2 Babes-Bolyai University, Cluj-Napoca, Romania Promoting environmental

528 views • 21 slides
Color Science Steve Marschner CS 4620 Cornell University Cornell CS4620 Fall 2019 Lecture 23

Color Science Steve Marschner CS 4620 Cornell University Cornell CS4620 Fall 2019 Lecture 23

Color Science Steve Marschner CS 4620 Cornell University Cornell CS4620 Fall 2019 Lecture 23 Steve Marschner 1 Color Science 1: Color matching Cornell CS4620 Fall 2019 Lecture 23 Steve Marschner 2 [source unknown] Cornell

676 views • 51 slides
Disposal of Sealed Sources April 17, 2009 Michael J. Zittle Assistant Radiation Safety Officer,

Disposal of Sealed Sources April 17, 2009 Michael J. Zittle Assistant Radiation Safety Officer,

Disposal of Sealed Sources April 17, 2009 Michael J. Zittle Assistant Radiation Safety Officer, Oregon State University, Campus Radiation Safety Officers (CRSO) Representative Sealed Source Generators Oregon State University (OSU)

639 views • 15 slides

More recommend