Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of - PowerPoint PPT Presentation

Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 L´ eo Perrin Dmitry Khovratovitch firstname.lastname@uni.lu University of Luxembourg March 3, 2014 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 1 / 21

Random functions What happens when a random function is used to update the internal state of a cryptographic primitive? Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 2 / 21

Random functions What happens when a random function is used to update the internal state of a cryptographic primitive? Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 2 / 21

Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon -64 Conclusion Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 3 / 21

Plan Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon -64 Conclusion Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 3 / 21

Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 � π |S| • (Expected) cycle and tail length: 8 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 � π |S| • (Expected) cycle and tail length: 8 • ... Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 � π |S| • (Expected) cycle and tail length: 8 • ... For functions chosen uniformly at random among all the functions from S to itself (random mappings). Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

Using state shrinking/presence of trees • Trees and output shrinking used to attack A5/1 (Golic 97, Biryukov et. al. 01). Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 5 / 21

Using state shrinking/presence of trees • Trees and output shrinking used to attack A5/1 (Golic 97, Biryukov et. al. 01). • Shrinking of the state space of mickey observed by Hong and Kim (05), studied by R¨ ock (08). Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 5 / 21

Plan Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon -64 Conclusion Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 6 / 21

Collision Probability Spectrum ( cps ) Definition (Collision Probability Spectrum) We call Collision Probability Spectrum ( cps ) of g : S → S the set { c k } k ≥ 1 c k = P [ g ( a + x ) = g ( a ) has k solutions ] . Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 7 / 21

Collision Probability Spectrum ( cps ) Definition (Collision Probability Spectrum) We call Collision Probability Spectrum ( cps ) of g : S → S the set { c k } k ≥ 1 c k = P [ g ( a + x ) = g ( a ) has k solutions ] . Definition The average number of non-zero roots is denoted κ and called collision average : � κ = c k · k − 1 k ≥ 1 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 7 / 21

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S|

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } .

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Lost! Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Lost! | g ( V k ) | = c k k · |S| Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Lost! | g ( V k ) | = c k k · |S| Independence Assumption: In what follows, we assume that x ∈ g ( V k ) and x ∈ V j are independent for any k , j . Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) g 3 ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) g 3 ( S ) g 4 ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) g 3 ( S ) g 4 ( S ) |S| | g i ( S ) | ∼ i · κ/ 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) 4 g 3 ( S ) g 4 ( S ) |S| | g i ( S ) | ∼ i · κ/ 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21