collision attack on 5 rounds of gr stl
play

Collision Attack on 5 Rounds of Grstl Martin Schl Florian Mendel - PowerPoint PPT Presentation

Mar 23, 2024 •330 likes •865 views

Collision Attack on 5 Rounds of Grstl Martin Schl Florian Mendel Vincent Rijmen affer The Grstl Hash Function The Grstl Hash Function m 1 m 2 m t f f f IV hash n 2 n 2 n 2 n SHA-3 finalist designed by Knudsen et al.

  1. Collision Attack on 5 Rounds of Grøstl Martin Schl¨ Florian Mendel Vincent Rijmen affer

  2. The Grøstl Hash Function

  3. The Grøstl Hash Function m 1 m 2 m t f f f Ω IV hash n 2 n 2 n 2 n SHA-3 finalist designed by Knudsen et al. iterative, Merkle-Damg˚ ard design principle wide-pipe construction, 2 n -bit chaining value

  4. The Grøstl Compression Function m i Q 2 n h i − 1 h i P 2 n 2 n Permutation based design 8 × 8 state and 10 rounds for Grøstl-256 8 × 16 state and 14 rounds for Grøstl-512

  5. The Grøstl-256 Round Transformations SubBytes ShiftBytes MixBytes AddConstant ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff S ff ff ff ff ff ff ff ff Q : ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff f i e i d i c i b i a i 9 i 8 i 0 i 1 i 2 i 3 i 4 i 5 i 6 i 7 i S P : AES like round transformation r i = MB ◦ SH ◦ SB ◦ AC

  6. Existing Analysis of Grøstl

  7. Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis

  8. Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis Initiated by the design team itself → rebound attack

  9. Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis Initiated by the design team itself → rebound attack Several improvements have been made

  10. Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis Initiated by the design team itself → rebound attack Several improvements have been made Internal differential attack

  11. Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis Initiated by the design team itself → rebound attack Several improvements have been made Internal differential attack Zero-sum distinguisher

  12. Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis Initiated by the design team itself → rebound attack Several improvements have been made Internal differential attack Zero-sum distinguisher Meet-in-the-middle attacks

  13. Existing Analysis of Grøstl Grøstl received a large amount of cryptanalysis Initiated by the design team itself → rebound attack Several improvements have been made Internal differential attack Zero-sum distinguisher Meet-in-the-middle attacks . . .

  14. Existing Analysis of Grøstl I Elena Andreeva, Bart Mennink, and Bart Preneel. On the Indifferentiability of the Grøstl Hash Function. In Juan A. Garay and Roberto De Prisco, editors, SCN , volume 6280 of LNCS , pages 88–105. Springer, 2010. Elena Andreeva, Bart Mennink, Bart Preneel, and Marjan Skrobot. Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, AFRICACRYPT , volume 7374 of LNCS , pages 287–305. Springer, 2012. Paulo S. L. M. Barreto. An observation on Grøstl. NIST hash function mailing list, 2008. Christina Boura, Anne Canteaut, and Christophe De Canni` ere. Higher-Order Differential Properties of Keccak and Luffa. In Antoine Joux, editor, FSE , volume 6733 of LNCS , pages 252–269. Springer, 2011. Sareh Emami, Praveen Gauravaram, Josef Pieprzyk, and Ron Steinfeld. (Chosen-multi-target) preimage attacks on reduced Grøstl. http://web.science.mq.edu.au/~rons/preimageattack-final.pdf . Henri Gilbert and Thomas Peyrin. Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations. In Seokhie Hong and Tetsu Iwata, editors, FSE , volume 6147 of LNCS , pages 365–383. Springer, 2010.

  15. Existing Analysis of Grøstl II Kota Ideguchi, Elmar Tischhauser, and Bart Preneel. Improved Collision Attacks on the Reduced-Round Grøstl Hash Function. In Mike Burmester, Gene Tsudik, Spyros S. Magliveras, and Ivana Ilic, editors, ISC , volume 6531 of LNCS , pages 1–16. Springer, 2010. J´ er´ emy Jean, Mar´ ıa Naya-Plasencia, and Thomas Peyrin. Improved Rebound Attack on the Finalist Grøstl. In Anne Canteaut, editor, FSE , volume 7549 of LNCS , pages 110–126. Springer, 2012. J´ er´ emy Jean, Mar´ ıa Naya-Plasencia, and Thomas Peyrin. Multiple Limited-Birthday Distinguishers and Applications. In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, Selected Areas in Cryptography , LNCS. Springer, 2013. John Kelsey. Some notes on Grøstl. NIST hash function mailing list, 2009. Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schl¨ affer. Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography , volume 5867 of LNCS , pages 16–35. Springer, 2009. Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, FSE , volume 5665 of LNCS , pages 260–276. Springer, 2009.

  16. Existing Analysis of Grøstl III Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen. Rebound Attacks on the Reduced Grøstl Hash Function. In Josef Pieprzyk, editor, CT-RSA , volume 5985 of LNCS , pages 350–365. Springer, 2010. Marine Minier and Ga¨ el Thomas. An Integral Distinguisher on Grøstl-512. In Goutam Paul and Serge Vaudenay, editors, INDOCRYPT , volume 8250 of LNCS , pages 50–59. Springer, 2013. Thomas Peyrin. Improved Differential Attacks for ECHO and Grøstl. In Tal Rabin, editor, CRYPTO , volume 6223 of LNCS , pages 370–392. Springer, 2010. Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, and Kazuo Ohta. Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl. In Masayuki Abe, editor, ASIACRYPT , volume 6477 of LNCS , pages 38–55. Springer, 2010. Yu Sasaki, Yuuki Tokushige, Lei Wang, Mitsugu Iwamoto, and Kazuo Ohta. An Automated Evaluation Tool for Improved Rebound Attack: New Distinguishers and Proposals of ShiftBytes Parameters for Grøstl. In Josh Benaloh, editor, CT-RSA , volume 8366 of LNCS , pages 424–443. Springer, 2014. Martin Schl¨ affer. Updated Differential Analysis of Grøstl. http://groestl.info , 2011. Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, and Jian Zou. (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others. In Anne Canteaut, editor, FSE , volume 7549 of LNCS , pages 127–145. Springer, 2012.

  17. Attacks on the Hash Function Most of the analysis focus on the building blocks of Grøstl

  18. Attacks on the Hash Function Most of the analysis focus on the building blocks of Grøstl Only a few results have been published for the hash function rounds complexity memory 2 64 Grøstl-256 3 - 2 192 Grøstl-512 3 -

  19. Attacks on the Hash Function Most of the analysis focus on the building blocks of Grøstl Only a few results have been published for the hash function rounds complexity memory 2 64 Grøstl-256 3 - 2 192 Grøstl-512 3 - ⇒ We will show collision attacks for up to 5 rounds of Grøstl

  20. Basic Attack Strategy

  21. Basic Attack Strategy Combines ideas of the attack on SMASH with the rebound attack

  22. Basic Attack Strategy Combines ideas of the attack on SMASH with the rebound attack Similar to the attack on Grindahl

  23. Basic Attack Strategy Combines ideas of the attack on SMASH with the rebound attack Similar to the attack on Grindahl Attack uses a new type of truncated differential trail spanning over more than one message block

  24. Basic Attack Strategy Combines ideas of the attack on SMASH with the rebound attack Similar to the attack on Grindahl Attack uses a new type of truncated differential trail spanning over more than one message block Starting with an (almost) arbitrary difference in the chaining variable

  25. Basic Attack Strategy Combines ideas of the attack on SMASH with the rebound attack Similar to the attack on Grindahl Attack uses a new type of truncated differential trail spanning over more than one message block Starting with an (almost) arbitrary difference in the chaining variable Iteratively canceling the differences in the chaining variable

  26. Basic Attack Strategy Combines ideas of the attack on SMASH with the rebound attack Similar to the attack on Grindahl Attack uses a new type of truncated differential trail spanning over more than one message block Starting with an (almost) arbitrary difference in the chaining variable Iteratively canceling the differences in the chaining variable Having only differences in one of the two permutations

  27. Equivalent Description of Grøstl To simplify the description of the attack we use an equivalent description of Grøstl MB − 1 ( IV ) h ′ = 0 h ′ P ′ ( MB ( h ′ i − 1 ) ⊕ m i ) ⊕ Q ′ ( m i ) ⊕ h ′ = for 1 ≤ i ≤ t i i − 1 Ω( MB ( h ′ hash = t )) with h i = MB ( h ′ i ) The last MixBytes transformation of the permutations P and Q are swapped with the XOR operation of the feed-forward

  28. Attack on 4 Rounds of Grøstl-256 The core of the attack on 4 rounds are truncated differential trails for P ′ with only 8 active bytes at the output of round r 4 r 1 r 2 r 3 r 4 64 → 64 → 8 → 8 → 8 − − − − Using the rebound attack all the 2 64 solutions for this truncated differential trail with a given/fixed difference difference at the input of P ′ can be found with complexity 2 64 in time and memory P ′ P ′ P ′ P ′ P ′ 0 1 2 3 4 AC AC AC AC SB SB SB SB SH SH SH SH MB MB MB

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
Horizontal Collision Correlation Attack on Elliptic Curves A. Bauer E. Jaulmes E. Prouff J.

Horizontal Collision Correlation Attack on Elliptic Curves A. Bauer E. Jaulmes E. Prouff J.

Horizontal Collision Correlation Attack on Elliptic Curves A. Bauer E. Jaulmes E. Prouff J. Wild Talk by J.-R. Reinhard ANSSI (French Network and Information Security Agency) Selected Areas in Cryptography 2013 Burnaby, Canada August 16,

308 views • 29 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]: automatic suggestions about the motions of objects immediately following a collision; animation systems using dynamical simulation inherently must respond

767 views • 53 slides
Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA, Switzerland - Mara Naya-Plasencia FHNW, Windisch, Switzerland and University of Versailles, France - Markku-Juhani O. Saarinen Revere

263 views • 15 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China. Institute of Software, Chinese Academy of Sciences,

1.08k views • 97 slides
Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of

Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of

The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of Versailles - France Nanyang Technological

846 views • 43 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1 , Orr Dunkelman 1,2 and

5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1 , Orr Dunkelman 1,2 and

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel Keccak (Bertoni, Daemen, Peeters and Van

496 views • 30 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi

Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi

Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi Meier Chinese Academy of Sciences FHNW,Switzerland 02-05-2018 Bin Zhang , Chao Xu and Willi Meier ( Chinese Academy

596 views • 48 slides
Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision

Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision

Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision detection: Where precisely have objects touched, where to apply forces, torques? Collision Response The following is an equation for Rigid Body

1.06k views • 79 slides
Q44.2 Consider the collision p + p -> p + p + 0 p + p + Consider the collision p + p

Q44.2 Consider the collision p + p -> p + p + 0 p + p + Consider the collision p + p

Q44.2 Consider the collision p + p -> p + p + 0 p + p + Consider the collision p + p A. It is exoergic. g B. It is endoergic C These terms dont apply to this type of collision C. These terms don t apply to this type of collision

596 views • 20 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views • 20 slides
SHAttered: SHA-1 Collision for the (GPU-packing) Masses Ben Prather Algorithms Interest Group,

SHAttered: SHA-1 Collision for the (GPU-packing) Masses Ben Prather Algorithms Interest Group,

SHAttered: SHA-1 Collision for the (GPU-packing) Masses Ben Prather Algorithms Interest Group, April 4 2017 Expectation management Description of the attack will necessarily be general This is cutting-edge cryptanalysis Google

509 views • 25 slides
Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott

Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott

Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott APTIM Rachael Rezez APTIM Graig Lavorgna - APTIM Dr. Michael Annable UFL Erin White UFL DNAPL Architecture, Dissolution, and Treatment

460 views • 25 slides
Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine Stefan Ambec Ecole dEconomie de Toulouse (INRA-LERNA-IDEI) Auteur Main Point Impact of energy policy (tax): Engineering approach:

174 views • 4 slides
Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect Moti tivati tion n we e need eed t to halve e our emi emissions ea each dec ecade Image scource: (Rockstrm et al. 2017): A roadmap

737 views • 25 slides
Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa Anas Tschichold Go Goal: No Rebound! after an efficiency improvement to produce one unit, price will not decrease and therefore demand will

786 views • 39 slides
First Quarterly Report September 10, 2020 Summary The First Quarterly Report is on track

First Quarterly Report September 10, 2020 Summary The First Quarterly Report is on track

First Quarterly Report September 10, 2020 Summary The First Quarterly Report is on track with the scenario presented on July 14, with improvements in employment, retail sales and housing activity Annual real GDP decline of 6.7 per cent

436 views • 20 slides
Shorting for Fun and Profit Nah, Just Profit Michael Shulman Editor, ChangeWave Shorts and

Shorting for Fun and Profit Nah, Just Profit Michael Shulman Editor, ChangeWave Shorts and

Shorting for Fun and Profit Nah, Just Profit Michael Shulman Editor, ChangeWave Shorts and Author, Sell Short April 2009 Fundamental Shorting A trade, using a put based on the fundamentals of a company and its stock A faster way to

724 views • 25 slides
Defending Distributed Cyber-Physical Systems with Bounded Time Recovery Bri Brian Sa

Defending Distributed Cyber-Physical Systems with Bounded Time Recovery Bri Brian Sa

Defending Distributed Cyber-Physical Systems with Bounded Time Recovery Bri Brian Sa Sandler, Neeraj Gandhi, Linh Thi Xuan Phan, Andreas Haeberlen NSF/Intel CPS PI Meeting July 2018 1 Machines in Control Vulnerable CPS can cause

433 views • 28 slides
Third Quarter Results 2009 Zurich October 22, 2009 Cautionary statement Cautionary statement

Third Quarter Results 2009 Zurich October 22, 2009 Cautionary statement Cautionary statement

Third Quarter Results 2009 Zurich October 22, 2009 Cautionary statement Cautionary statement regarding forward-looking and non-GAAP information This presentation contains forward-looking statements within the meaning of the Private Securities

396 views • 38 slides

More recommend