asiacrypt 2013
play

ASIACRYPT 2013 1 Cryptographic Hash Function Public function - PowerPoint PPT Presentation

Jan 14, 2024 •335 likes •840 views

Improved Cryptanalysis of Reduced RIPEMD-160 Florian Mendel, Thomas Peyrin, Martin Schlffer, Lei Wang, and Shuang Wu ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long messages Output: short random

  1. Improved Cryptanalysis of Reduced RIPEMD-160 Florian Mendel, Thomas Peyrin, Martin Schläffer, Lei Wang, and Shuang Wu ASIACRYPT 2013 1

  2. Cryptographic Hash Function • Public function  Input: arbitrary long messages  Output: short random digests • A fundamental primitive in cryptography This document has to be stored without any modification for AC376EB a long time. So we should get a hash digest. 2

  3. Security Notions • Collision attack Find and such that and • Collision resistance Finding a collision takes no less than 2 n/2 computations (n is digest bit size). 3

  4. Security Notions • Second peimage attack Given , find such that and • Second preimage resistance Finding a second preimage takes no less than 2 n computations (n is digest bit size). 4

  5. Security Notions • Peimage attack Given , find a such that • Preimage resistance Finding a preimage takes no less than 2 n computations (n is digest bit size). 5

  6. Iterative Hash Function Design • Compression function: public function for which the input and output size is fixed . • Domain extension: an algorithm which iterates the compression function to handle arbitrary long messages.  e.g., Merkle-Damgård mode Initial value 6

  7. A security notion on compression function • Semi-free-start collision attack Find , and such that • Resistance requirement: no less than 2 n/2 7

  8. MD-SHA Family • Well-known dedicated hash functions since 1990s • Merkle-Damgård mode • Compression function  Addition-Rotation-Xor  Bitwise Boolean function  Unbalanced Feistel Network 8

  9. MD-SHA Family • Broken hash functions  MD4, MD5, SHA-0, SHA-1, HAVAL, RIPEMD-0, RIPEMD-128 • Unbroken hash functions  RIPEMD-160 , SHA-2 9

  10. Security State of RIPEMD-160 • After 17 years since 1996 Target Type #Steps Complexity Ref. 2 148 Compression Preimage 31 OSS12 2 155 Hash Preimage 31 OSS12 Compression Non-randomness 48 low MNSS12 2 158 Compression Non-randomness 52 SW12 Compression Semi-free-start collision 36 low MNSS12 2 75.5 Compression Semi-free-start collision 42 Ours 2 70.4 Compression Semi-free-start collision 36* Ours *: Our 36-step attack starts from the first step . 10

  11. Outline • RIPEMD-160 specification • Attack overview • Find a differential path • Find a confirming pair • Conclusion 11

  12. Outline • RIPEMD-160 specification • Attack overview • Find a differential path • Find a confirming pair • Conclusion 12

  13. RIPEMD-160 • Designed by Dobbertin, Bosselaers and Preneel • Worldwide ISO/IEC standard • Double-branch compression function 13

  14. Compared to RIPEMD-128 • Our attacks are based on recent analysis approach of RIPEMD-128 [LP13] • Larger digest size: 128 → 160 • Increased number of steps: 64 → 80 • The step function has stronger diffusion and o�e �free ter��  Significant impact to differential path  The reason that #attacked steps is less. 14

  15. RIPEMD-128 RIPEMD-160 : modular addition : Boolean function , : constants : left cyclic rotation 15

  16. Outline • RIPEMD-160 specification • Attack overview • Find a differential path • Find a confirming pair • Conclusion 16

  17. Attack Overview • The same with the attacks on RIPEMD-128 [LP13] � � � 0 Non-linear linear 0 linear Non-linear � � � 17

  18. Rationale of Our Attack Strategy • 80 steps are re-grouped into 5 rounds • Each round has a distinct Boolean function • The Boolean function has significant impact to non-linear differential path search ONX IFZ ONZ IFX XOR round 2 round 3 round 4 round 5 round 1 XOR IFX ONZ IFZ ONX XOR: IFZ: ONZ: IFX: ONX: 18

  19. Rationale of Our Attack Strategy • Absorption : an input bit difference does not necessarily propagate to the output bit  Strong absorption: IFX, IFZ  Weak absorption: ONX, ONZ  No absorption: XOR ONX IFZ ONZ IFX XOR round 2 round 3 round 4 round 5 round 1 XOR IFX ONZ IFZ ONX 19

  20. Rationale of Our Attack Strategy • Non-linear differential path should locate in rounds with a strong absorption Boolean function.  Easier to search non-linear path  Sparser non-linear paths ONX IFZ ONZ IFX XOR round 2 round 3 round 4 round 5 round 1 XOR IFX ONZ IFZ ONX 20

  21. Rationale of Our Attack Strategy • Attack starts from the second round • Discuss attacks starting from the first round later . ONX IFZ ONZ IFX XOR round 2 round 3 round 4 round 5 round 1 XOR IFX ONZ IFZ ONX 21

  22. Rationale of Our Attack Strategy • Message words locate in different steps between the two branches IFZ ONZ round 3 round 2 IFX ONZ 22

  23. Rationale of Our Attack Strategy • A waste of message word freedom exists if the search start s from the beginning step . 23

  24. Rationale of Our Attack Strategy • A waste of message word freedom exists if the search start s from the beginning step . • : two subsets of the message words in the dense part of the two differential paths  24

  25. Rationale of Our Attack Strategy • Satisfy dense parts firstly by using the freedom of internal state and the message words .  Use the independency between and  Start-from-the-middle procedures 25

  26. Wrapping up � � � ONX IFZ ONZ IFX round 2 round 3 round 4 round 1 IFZ ONZ IFX XOR � � � 26

  27. Outline • RIPEMD-160 specification • Attack overview • Find a differential path  Choose message difference  Search non-linear path • Find a confirming pair • Conclusion 27

  28. The Choice of Message Word • Single message word difference • Examine the potential #attacked steps for each messages word with respect to  short non-linear paths in both branch  early step of the two non-linear path are near  sparse later steps of non-linear path  output difference cancellation of the two branches by the feed-forward operation 28

  29. The Choice of Message Word Message word #attacked steps 51 46 52 48 Message word #attacked steps 42 50 39 56 Message word #attacked steps 36 39 37 38 Message word #attacked steps 38 34 58 43 29

  30. The Choice of Message Word Message word #attacked steps 51 46 52 48 Message word 56 #attacked steps 42 50 39 Message word #attacked steps 36 39 37 38 Message word 58 #attacked steps 38 34 43 30

  31. Automatic Non-Linear Path Search • Bit-slices for all operations including modular addition in the step function developed in [CR06] • Generalized conditions for two bits and 31

  32. Automatic Non-Linear Path Search • Bit-slices for all operations including modular addition in the step function developed in [CR06] • Generalized conditions for two bits and  Initialize each bit as ? 32

  33. Automatic Non-Linear Path Search • Bit-slices for all operations including modular addition in the step function developed in [CR06] • Generalized conditions for two bits and  Initialize each bit as ?  Finalize each bit as one of {-, u, n, 0, 1} 33

  34. Automatic Non-Linear Path Search • Use the algorithm developed in [MNS11, MNS12] 34

  35. Specific Configuration for RIPEMD-160 • Two carries to handle in one step function  Computed and stored together as a 3-bit condition carry 1 carry 2 35

  36. Resulted Differential Path • Use message word • 48 steps (16-64) 36

  37. Resulted Differential Path • Use message word • 48 steps (16-64) Dense parts 37

  38. Outline • RIPEMD-160 specification • Attack overview • Find a differential path • Find a confirming pair  Merge two branches  Evaluate complexity • Conclusion 38

  39. Merge Two Branches • Refer to the paper for detailed procedure Phase 1. fix some free bits to fulfill in advance some conditions in differential path Phase 2. start-from-the-middle adaptively choose free bits sequentially to fulfill conditions in dense part of differential path Phase 3. use remaining free bits to merge the internal states of both branches to a freely chosen 39

  40. Merge Two Branches 40

  41. Merge Two Branches Fix these internal state words 41

  42. Merge Two Branches Adaptively choose message words forward and backward to fulfill the conditions 42

  43. A � Starting Point � after Phase 2 43

  44. Merge Two Branches Use these remaining free bits to merge the two branches 44

  45. Evaluate Complexity • The uncontrolled probability of merging is 2 -77.4  #necessary starting points: 2 77.4 • One starting point is generated by 4 step functions, which is 2 -4.4 (=4/42*2) • The merging for each starting point costs 2 -1.9 Overall complexity: 45

  46. Evaluate Complexity • The uncontrolled probability of merging is 2 -77.4  #necessary starting points: 2 77.4 • One starting point is generated by 4 step functions, which is 2 -4.4 (=4/42*2) • The merging for each starting point costs 2 -1.9 Overall complexity: We cannot afford the probabilities for steps 58 to 64. #attacked step is 42, while differential path has 48 steps. 46

  47. Attack from the First Round • The non-linear path in XOR round should be as short as possible ONX IFZ round 2 round 1 XOR IFX 47

  48. Outline • RIPEMD-160 specification • Attack overview • Find a differential path • Find a confirming pair • Conclusion 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
Notions of Black-Box Reductions, Revisited ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Marc

Notions of Black-Box Reductions, Revisited ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Marc

Notions of Black-Box Reductions, Revisited ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Marc Fischlin Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and Center For Advanced Security Research

587 views • 42 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 55 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.29k views • 116 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 51 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.2k views • 104 slides
A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003,

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit at Darmstadt A Complete and

408 views • 39 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Democracy, Security and Evidence lets have all three ASIACRYPT 2018 Vanessa Teague

Democracy, Security and Evidence lets have all three ASIACRYPT 2018 Vanessa Teague

Democracy, Security and Evidence lets have all three ASIACRYPT 2018 Vanessa Teague University of Melbourne December 5, 2018 Secure voting system designs predate computers Actually, they predate paper too. The votes are private. The

644 views • 31 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
The Moral Character of IACR Distinguished Lecture Cryptographic Work Asiacrypt 2015 Auckland,

The Moral Character of IACR Distinguished Lecture Cryptographic Work Asiacrypt 2015 Auckland,

Phillip Rogaway The Moral Character of IACR Distinguished Lecture Cryptographic Work Asiacrypt 2015 Auckland, New Zealand 2 December 2015 web.cs.ucdavis.edu/~rogaway/ for corresponding essay Today: Social responsibility of scientists

465 views • 31 slides
Tamper resilient circuits: The Adversary at the Gates Yiannis Tselekounis Joint work with

Tamper resilient circuits: The Adversary at the Gates Yiannis Tselekounis Joint work with

Tamper resilient circuits: The Adversary at the Gates Yiannis Tselekounis Joint work with Aggelos Kiayias University of Athens Asiacrypt 2013 - December 4, 2013 Introduction Attacking a cryptographic implementation Cryptographic device

258 views • 24 slides
Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 ,

655 views • 44 slides
Revised: March 4, 2013 3/19/2013 3/19/2013 2 3/19/2013 3 3/19/2013 4 3/19/2013 5

Revised: March 4, 2013 3/19/2013 3/19/2013 2 3/19/2013 3 3/19/2013 4 3/19/2013 5

Revised: March 4, 2013 3/19/2013 3/19/2013 2 3/19/2013 3 3/19/2013 4 3/19/2013 5 3/19/2013 3/19/2013 6 01.18.2013 3/19/2013 7 3/19/2013 8 3/19/2013 9 Source: Urban Institute HIPSM 2013; OSU 2013. Note: Estimates include effects

871 views • 49 slides
How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and

How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and

How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI ASIACRYPT 2013 December 3, 2013 Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public

1.06k views • 92 slides
Efficient One-Way Secret-Key Agreement and Private Channel Coding via Polarization Joseph M.

Efficient One-Way Secret-Key Agreement and Private Channel Coding via Polarization Joseph M.

Efficient One-Way Secret-Key Agreement and Private Channel Coding via Polarization Joseph M. Renes, Renato Renner, David Sutter Institute for Theoretical Physics ASIACRYPT 2013, Bangalore 1 / 13 Information Theoretic Cryptography Goal:

600 views • 21 slides
Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency ASIACRYPT 2013 Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park and Moti Yung Korea University, US Naval Academy, Korea

993 views • 26 slides
Open-World Probabilistic Databases Guy Van den Broeck FLAIRS May 23, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck FLAIRS May 23, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck FLAIRS May 23, 2017 Overview 1. Why probabilistic databases? 2. How probabilistic query evaluation? 3. Why open world? 4. How open-world query evaluation? 5. What is the broader picture? Why

866 views • 51 slides
Open-World Probabilistic Databases Guy Van den Broeck GCAI Oct 21, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck GCAI Oct 21, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck GCAI Oct 21, 2017 Overview 1. Why probabilistic databases? 2. How probabilistic query evaluation? 3. Why open world? 4. How open-world query evaluation? 5. What is the broader picture?

2.03k views • 175 slides
What the Digerati Know INFO/CSE100, Spring 2006 Fluency in Information Technology

What the Digerati Know INFO/CSE100, Spring 2006 Fluency in Information Technology

The Information School of the University of Washington What the Digerati Know INFO/CSE100, Spring 2006 Fluency in Information Technology http://www.cs.washington.edu/education/courses/100/06sp/ Mar-31-06 digerati @ university of washington 1

331 views • 22 slides
The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke

674 views • 45 slides
DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs,

DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs,

DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Birthday attacks Hash Functions Message m Message digest, y (long) Cryptographic hash

645 views • 12 slides
CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering Access Control Mechanisms Declarative Authorization using Realms The expression of app security external to the app

540 views • 26 slides
TO Y PROGRAMMING Demo of a repository for statically compiled programs 2016 US LLVM

TO Y PROGRAMMING Demo of a repository for statically compiled programs 2016 US LLVM

PUBLIC Sony Interactive Entertainment TO Y PROGRAMMING Demo of a repository for statically compiled programs 2016 US LLVM Developers Meeting Paul Bowen-Huggett paul.huggett@sony.com Agenda Background RFC Is the idea generally

512 views • 17 slides
IT452 Advanced Web and Internet Systems Set 6: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 6: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 6: Web Servers (operation, configuration, and security) (Chapters 16 and 18) Key Questions Popular web servers? What does a web server do? How can I control it? URL re-writing /

326 views • 7 slides

More recommend