Analysis of Kupyna Christoph Dobraunig Maria Eichlseder Florian - - PowerPoint PPT Presentation

Analysis of Kupyna

Christoph Dobraunig Maria Eichlseder Florian Mendel ASK 2015

www.iaik.tugraz.at

The Kupyna Hash Function

www.iaik.tugraz.at

The Kupyna Hash Function

Defined in the Ukrainian standard DSTU 7564:2014 Replacement for GOST R 34.11-94 Design is similar to Grøstl

1 / 29

www.iaik.tugraz.at

The Kupyna Hash Function

IV f

2n

m1 f

2n

m2 f mt

2n

Ω hash

n

Iterated hash function

Wide-pipe design Merkle-Damg˚ ard design principle Strong output transformation

2 / 29

www.iaik.tugraz.at

The Kupyna Compression Function

hi1 hi T T + mi

2n 2n 2n

Permutation based design similar to Grøstl

8 × 8 state and 10 rounds for Kupyna-256 8 × 16 state and 14 rounds for Kupyna-512

3 / 29

www.iaik.tugraz.at

The Kupyna-256 Round Transformations

T +: T :

0i 1i 2i 3i 4i 5i 6i 7i

AddConstant

fi ei di ci bi ai 9i 8i f3 f0 f0 f0 f0 f0 f0 f3 f0 f0 f0 f0 f0 f0 f3 f0 f0 f0 f0 f0 f0 f3 f0 f0 f0 f0 f0 f0 f3 f0 f0 f0 f0 f0 f0 f3 f0 f0 f0 f0 f0 f0 f3 f0 f0 f0 f0 f0 f0 f3 f0 f0 f0 f0 f0 f0 S

SubBytes

S

ShiftBytes MixBytes

AES-like round transformation ri = MB SH SB AC

4 / 29

www.iaik.tugraz.at

Analysis of Kupyna

www.iaik.tugraz.at

Existing Analysis of Grøstl

Grøstl received a large amount of cryptanalysis Initiated by the design team itself ! rebound attack Several improvements have been made

Internal differential attack Zero-sum distinguisher Meet-in-the-middle attacks . . .

5 / 29

www.iaik.tugraz.at

Existing Analysis of Grøstl

• F. Mendel, T. Peyrin, C. Rechberger, and M. Schl¨

affer Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Selected Areas in Cryptography 2009

• F. Mendel, C. Rechberger, M. Schl¨

affer, and S. S. Thomsen The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl FSE 2009

• H. Gilbert and T. Peyrin

Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations FSE 2010

• K. Ideguchi, E. Tischhauser, and B. Preneel

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function ISC 2010

• F. Mendel, C. Rechberger, M. Schl¨

affer, and S. S. Thomsen Rebound Attacks on the Reduced Grøstl Hash Function CT-RSA 2010

6 / 29

www.iaik.tugraz.at

Existing Analysis of Grøstl

• T. Peyrin

Improved Differential Attacks for ECHO and Grøstl CRYPTO 2010

• Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, and K. Ohta

Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl ASIACRYPT 2010

• C. Boura, A. Canteaut, and C. De Canni`

ere Higher-Order Differential Properties of Keccak and Luffa FSE 2011

• M. Schl¨

affer Updated Differential Analysis of Grøstl 2011

• J. Jean, M. Naya-Plasencia, and T. Peyrin

Improved Rebound Attack on the Finalist Grøstl FSE 2012

7 / 29

www.iaik.tugraz.at

Existing Analysis of Grøstl

• S. Wu, D. Feng, W. Wu, J. Guo, L. Dong, and J. Zou

(Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others FSE 2012

• J. Jean, M. Naya-Plasencia, and T. Peyrin

Multiple Limited-Birthday Distinguishers and Applications Selected Areas in Cryptography 2013

• M. Minier and G. Thomas

An Integral Distinguisher on Grøstl-512 INDOCRYPT 2013

• F. Mendel, V. Rijmen, and M. Schl¨

affer Collision Attack on 5 Rounds of Grøstl FSE 2014

• Y. Sasaki, Y. Tokushige, L. Wang, M. Iwamoto, and K. Ohta

An Automated Evaluation Tool for Improved Rebound Attack: New Distinguishers and Proposals of ShiftBytes Parameters for Grøstl CT-RSA 2014

8 / 29

www.iaik.tugraz.at

The Rebound Attack

Ebw Ein Efw

inbound

• utbound
• utbound

Inbound phase

efficient meet-in-the-middle phase in Ein using available degrees of freedom

Outbound phase

probabilistic part in Ebw and Efw repeat inbound phase if needed

9 / 29

www.iaik.tugraz.at

Attack on the Compression Function

www.iaik.tugraz.at

Basic Attack Strategy

∆ T T + semi-free-start collision: f(hi1, mi) = f(hi1, m⇤

i ), mi 6= m⇤ i

arbitrary hi1

10 / 29

www.iaik.tugraz.at

Attack on 6 Rounds

In the attack we use the same truncated differential trail in both permutations T and T +: 8

r1

• ! 8

r2

• ! 64

r3

• ! 64

r4

• ! 8

r5

• ! 8

r6

• ! 64

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

h0 m1 h1

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

11 / 29

www.iaik.tugraz.at

Rebound attack for T

• utbound

inbound

• utbound

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

Inbound phase

start with differences in round 2 and 4 match-in-the-middle using values of the state

Outbound phase

uses truncated differentials probabilistic propagation in MixBytes

12 / 29

www.iaik.tugraz.at

Inbound phase for T

d4 6d 0a 11 f4 b7 43 90 3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee ca 3f 11 2f 3a af 8d ee ee ee 9f 23 71 c1 cd 45 13 56 94 2a f1 91 26 a2 47 d3 7b 79 5c 62 a5 72 cd 3d 83 76 ab b4 c8 73 45 f2 54 21 a6 1c d2 ff b5 26 9f 94 67 ef 3f f6 27 d8 2a 73 9c b2 15 32 9a 67 7b 52 ab 92 ff match

MB AC RB SB MB AC SB RB MB

differences differences match differences

Start with arbitrary differences in round 2 and 4 Match-in-the-middle at SuperBox (SB MB AC SB)

with complexity 264 we get ∼ 1 right pairs time-memory trade-off with T · M = 2128 with T ≥ 264

) 264 solutions with complexity of 264 (amortized cost 1)

13 / 29

www.iaik.tugraz.at

Outbound phase for T

• utbound

inbound

• utbound

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

Propagate through MixBytes of round 1, 5 and 6

using truncated differences (active bytes: 8 → 8 resp. 1 → 8) probability: 1 in each direction

) 264 solutions following the differential trail with compexity 264

14 / 29

www.iaik.tugraz.at

Rebound attack for T +

• utbound

inbound

• utbound

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

AddConstant ( AC )

modular addition destroys the byte-alignment complicates the application of the attack

15 / 29

www.iaik.tugraz.at

Inbound phase for T +

cd c5 27 04 10 fc f8 5e 3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd 91 5c 76 2f 9f d8 9a ee ee ee 9f ee 23 71 c1 45 13 56 94 ca 2a f1 26 a2 47 d3 7b 3f 79 62 a5 72 cd 3d 83 11 ab b4 c8 73 45 f2 54 21 a6 1c d2 ff b5 26 3a 94 67 ef 3f f6 27 2a af 73 9c b2 15 32 67 7b 8d 52 ab 92 ff match

MB AC RB SB MB AC SB RB MB

differences differences match differences

Start with arbitrary differences in round 2 and 4 Match-in-the-middle (AC RB SB MB AC SB)

first AC creates dependences between SuperBoxes

• nly consider inputs that never (resp. always) result in a carry

16 / 29

www.iaik.tugraz.at

Number of solutions

Byte 0: x + F3 > FF ! 243 solutions Byte 1: x + 1 + F0 > FF ! 241 solutions . . . Byte position Valid values Valid pairs (average) Byte 0 243 230.6 Byte 1–6 241 226.8 Byte 7 256 256 ) 254.4 solutions in total (cost 263.4)

17 / 29

www.iaik.tugraz.at

Outbound phase for T

• utbound

inbound

• utbound

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

Propagate through MixBytes in round 1, 5 and 6

probability: 1 (same as for T ⊕)

Propagate through AddConstant in round 1, 2, 5 and 6

probability: 2−2.45

) 251.95 solutions following the differential trail with complexity 263.4

18 / 29

www.iaik.tugraz.at

Attack on 6 Rounds

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

h0 m1 h1

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

Construct 2a pairs following the differential trail in T

• ne solution with amortized cost 1

Construct 2128a pairs following the differential trail in T +

• ne solution with amortized cost 211.55

) semi-free-start collision with complexity 269.8 (for a = 69.8)

19 / 29

www.iaik.tugraz.at

Extending the Attack to 7 Rounds

Sequence of active SBoxes: 8

r1

• ! 8

r2

• ! 64

r3

• ! 64

r4

• ! 8

r5

• ! 1

r6

• ! 8

r7

• ! 64

Inbound phase is the same as before Outbound phase is extended by one round (probability: 256) ) semi-free-start collision with complexity 2125.8

20 / 29

www.iaik.tugraz.at

Attacks on Kupyna-256

Compression Function rounds complexity memory 6 269.8 264 7 2125.8 264

21 / 29

www.iaik.tugraz.at

Attack on the Hash Function

www.iaik.tugraz.at

Basic Attack Strategy

Combines ideas of the attack on SMASH with the rebound attack Similar to the attack on Grindahl Attack uses a new type of truncated differential trail spanning

• ver more than one message block

Starting with an (almost) arbitrary difference in the chaining variable Iteratively canceling the differences in the chaining variable Having only differences in one of the two permutations (e.g. T ⊕)

22 / 29

www.iaik.tugraz.at

Equivalent Description of Kupyna

To simplify the description of the attack we use an equivalent description of the hash function ˆ h0 = MB1(IV) ˆ hi = ˆ T (MB(ˆ hi1) mi) ˆ T +(mi) ˆ hi1 for 1  i  t hash = Ω(MB(ˆ ht)) with hi = MB(ˆ hi) The last MixBytes transformation of the permutations T and T + are swapped with the XOR operation of the feed-forward

23 / 29

www.iaik.tugraz.at

Attack on 4 Rounds

The core of the attack on 4 rounds are truncated differential trails for ˆ T with only 8 active bytes at the output of round r4 64

r1

• ! 64

r2

• ! 8

r3

• ! 8

r4

• ! 8

Using the rebound attack all the 264 solutions for this truncated differential trail with a given/fixed difference difference at the input of ˆ T can be found with complexity 264 in time and memory

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB 24 / 29

www.iaik.tugraz.at

Attack on 4 Rounds

Choose some arbitrary m1, m⇤

1 to get a full active state in h0 1

Construct 264 solutions for the truncated differential trail in P0 to find a m2 such that 8 bytes of the difference in h0

2 are canceled

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

m2 ˆ h1 ˆ h2

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB

25 / 29

www.iaik.tugraz.at

Attack on 4 Rounds

Construct 264 solutions for a rotated variant of the truncated differential trail to cancel another 8 bytes of the difference in h0

3

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

m3 ˆ h2 ˆ h3

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB

25 / 29

www.iaik.tugraz.at

Attack on 4 Rounds

Repeat this in total 8 times until a collision has been found in h0

9

h0

3

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB

m9 ˆ h8 ˆ h9

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB

) Collision attack for 4 rounds with complexity of 8 · 264 = 267

25 / 29

www.iaik.tugraz.at

Extending the Attack to 5 Rounds

www.iaik.tugraz.at

Attack on 5 Rounds of Grøstl-256

For the attack on 5 rounds we use truncated differential trails with

• nly one active byte at the output of round r3

64

r1

• ! 64

r2

• ! 8

r3

• ! 1

r4

• ! 8

r5

• ! 8

Using the rebound attack all the 28 solutions for this truncated differential with a given/fixed difference at the input of P0 can be found with complexity 264 in time and memory

AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB MB AC SB RB 26 / 29

www.iaik.tugraz.at

Attack on 5 Rounds

Each step of the attack will succeed only with probability 256 We can compensate this by using more message blocks and repeating each step of the attack 256 times Any of the 28 solutions can be used to get a new starting point for the next iteration, while keeping the same bytes inactive in chaining variable ) Collision attack for 5 rounds with complexity of 8 · 264+56 = 2123

27 / 29

www.iaik.tugraz.at

Summary

Compression Function rounds complexity memory 6 269.8 264 7 2125.8 264 Hash Function rounds complexity memory 4 267 264 5 2120 264

28 / 29

www.iaik.tugraz.at

Thank you!

http://eprint.iacr.org/2015/956

29 / 29