Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of - - PowerPoint PPT Presentation

Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64

L´ eo Perrin Dmitry Khovratovitch firstname.lastname@uni.lu

University of Luxembourg

March 3, 2014

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 1 / 21

Random functions

What happens when a random function is used to update the internal state of a cryptographic primitive?

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 2 / 21

Random functions

What happens when a random function is used to update the internal state of a cryptographic primitive?

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 2 / 21

Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon-64 Conclusion

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 3 / 21

Plan

Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon-64 Conclusion

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 3 / 21

Random Functions Statistics

Flajolet and Odlyzko (89), on a random functions g : S → S:

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 4 / 21

Random Functions Statistics

Flajolet and Odlyzko (89), on a random functions g : S → S:

• Distribution of the preimages sizes for a

$

← S: P[g(x) = a has k solutions for a

$

← S] = e−1/k!

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 4 / 21

Random Functions Statistics

Flajolet and Odlyzko (89), on a random functions g : S → S:

• Distribution of the preimages sizes for a

$

← S: P[g(x) = a has k solutions for a

$

← S] = e−1/k!

• (Expected) size of iterated image: |gi(S)| ≈ |S|

i/2

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 4 / 21

Random Functions Statistics

Flajolet and Odlyzko (89), on a random functions g : S → S:

• Distribution of the preimages sizes for a

$

← S: P[g(x) = a has k solutions for a

$

← S] = e−1/k!

• (Expected) size of iterated image: |gi(S)| ≈ |S|

i/2

• (Expected) cycle and tail length:
• π|S|

8

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 4 / 21

Random Functions Statistics

Flajolet and Odlyzko (89), on a random functions g : S → S:

• Distribution of the preimages sizes for a

$

← S: P[g(x) = a has k solutions for a

$

← S] = e−1/k!

• (Expected) size of iterated image: |gi(S)| ≈ |S|

i/2

• (Expected) cycle and tail length:
• π|S|

8

• ...

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 4 / 21

Random Functions Statistics

Flajolet and Odlyzko (89), on a random functions g : S → S:

• Distribution of the preimages sizes for a

$

← S: P[g(x) = a has k solutions for a

$

← S] = e−1/k!

• (Expected) size of iterated image: |gi(S)| ≈ |S|

i/2

• (Expected) cycle and tail length:
• π|S|

8

• ...

For functions chosen uniformly at random among all the functions from S to itself (random mappings).

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 4 / 21

Using state shrinking/presence of trees

• Trees and output shrinking used to attack A5/1 (Golic 97, Biryukov
• et. al. 01).

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 5 / 21

Using state shrinking/presence of trees

• Trees and output shrinking used to attack A5/1 (Golic 97, Biryukov
• et. al. 01).
• Shrinking of the state space of mickey observed by Hong and Kim

(05), studied by R¨

• ck (08).

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 5 / 21

Plan

Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon-64 Conclusion

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 6 / 21

Collision Probability Spectrum (cps)

Definition (Collision Probability Spectrum)

We call Collision Probability Spectrum (cps) of g : S → S the set {ck}k≥1 ck = P[g(a + x) = g(a) has k solutions].

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 7 / 21

Collision Probability Spectrum (cps)

Definition (Collision Probability Spectrum)

We call Collision Probability Spectrum (cps) of g : S → S the set {ck}k≥1 ck = P[g(a + x) = g(a) has k solutions].

Definition

The average number of non-zero roots is denoted κ and called collision average: κ =

• k≥1

ck · k − 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 7 / 21

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S|

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S| Let g have CPS {c1 = c2 = 1/2}.

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S| Let g have CPS {c1 = c2 = 1/2}. V1 V2 S

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 8 / 21

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S| Let g have CPS {c1 = c2 = 1/2}. V1 V2 S

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 8 / 21

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S| Let g have CPS {c1 = c2 = 1/2}. V1 V2 S

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 8 / 21

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S| Let g have CPS {c1 = c2 = 1/2}. V1 V2 S Lost!

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 8 / 21

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S| Let g have CPS {c1 = c2 = 1/2}. V1 V2 S Lost! |g(Vk)| = ck k · |S|

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 8 / 21

Output Shrinking

Let Vk = {x0 ∈ S, g(x0 + y) = g(x0) has k solutions}. ⇒ |Vk| = ck · |S| Let g have CPS {c1 = c2 = 1/2}. V1 V2 S Lost! |g(Vk)| = ck k · |S| Independence Assumption: In what follows, we assume that x ∈ g(Vk) and x ∈ Vj are independent for any k, j.

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 8 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S)

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S)

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S)

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S)

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1 4 3 2 1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Iterated Output Shrinking and Collision Trees

g : S → S has CPS {c3 = 1}; # iterations <

• |S|

S g(S) g2(S) g3(S) g4(S) |gi(S)| ∼ |S| i · κ/2

4 3 2 1 4 3 2 1

#{ nodes in tree rooted in gi(S)} ∼ κ 4 · i2

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 9 / 21

Known cps’s

Function κ |S|/|gi(S)| tree size mickey’s update function 0.625 2−1.7 · i 2−2.7 · i2 Random mapping 1 2−1 · i 2−2 · i2 gluon-64’s update function 6.982 21.8 · i 20.8 · i2

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 10 / 21

Plan

Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon-64 Conclusion

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 11 / 21

The t-sponge Construction

... ... Id g g g g g IV IS1 ISk ISk+1 ISk+d Absorption Squeezing c r m1 ... mk ⊕ ⊕ d1 ... dj

• c: capacity
• r: bitrate
• m1, ..., mk:

Message

• d1, ..., dj: Digest
• g: random

function

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 12 / 21

Flat Sponge Claim Revisited

If g is a function with collision average κ, then finding collisions with Q queries succeeds with probability Q2 2c+1 ·

• 1 + κ − 1

2r

• .

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 13 / 21

Flat Sponge Claim Revisited

If g is a function with collision average κ, then finding collisions with Q queries succeeds with probability Q2 2c+1 ·

• 1 + κ − 1

2r

• .

Intuition: S has size 2c+r. Collisions occur because of the “trimming” of the bitrate (2r/2c+r = 2c) and because of inner-collisions (κ/2c+r).

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 13 / 21

Keyed Walk

Definition

Given a space S, functions gk : S → S and a sequence of keys {k1, ..., km}, a keyed walk starting in x0 is such that xi+1 = gki(xi).

Keyed Walk

Definition

Given a space S, functions gk : S → S and a sequence of keys {k1, ..., km}, a keyed walk starting in x0 is such that xi+1 = gki(xi). Example:

• Keys: {k1, k2, k3}
• Sequence: {k1, k3, k3, k1, k2}
• Functions: gki, i = 1, 2, 3.

Keyed Walk

Definition

Given a space S, functions gk : S → S and a sequence of keys {k1, ..., km}, a keyed walk starting in x0 is such that xi+1 = gki(xi). Example:

• Keys: {k1, k2, k3}
• Sequence: {k1, k3, k3, k1, k2}
• Functions: gki, i = 1, 2, 3.

x0 x1 gk1 gk2 gk3

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 14 / 21

Keyed Walk

Definition

Given a space S, functions gk : S → S and a sequence of keys {k1, ..., km}, a keyed walk starting in x0 is such that xi+1 = gki(xi). Example:

• Keys: {k1, k2, k3}
• Sequence: {k1, k3, k3, k1, k2}
• Functions: gki, i = 1, 2, 3.

x0 x1 gk1 gk2 gk3 x2 gk1 gk2 gk3

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 14 / 21

Keyed Walk

Definition

Given a space S, functions gk : S → S and a sequence of keys {k1, ..., km}, a keyed walk starting in x0 is such that xi+1 = gki(xi). Example:

• Keys: {k1, k2, k3}
• Sequence: {k1, k3, k3, k1, k2}
• Functions: gki, i = 1, 2, 3.

x0 x1 gk1 gk2 gk3 x2 gk1 gk2 gk3 x3 gk1 gk2 gk3

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 14 / 21

Keyed Walk

Definition

Given a space S, functions gk : S → S and a sequence of keys {k1, ..., km}, a keyed walk starting in x0 is such that xi+1 = gki(xi). Example:

• Keys: {k1, k2, k3}
• Sequence: {k1, k3, k3, k1, k2}
• Functions: gki, i = 1, 2, 3.

x0 x1 gk1 gk2 gk3 x2 gk1 gk2 gk3 x3 gk1 gk2 gk3 x4 gk1 gk2 gk3

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 14 / 21

Keyed Walk

Definition

Given a space S, functions gk : S → S and a sequence of keys {k1, ..., km}, a keyed walk starting in x0 is such that xi+1 = gki(xi). Example:

• Keys: {k1, k2, k3}
• Sequence: {k1, k3, k3, k1, k2}
• Functions: gki, i = 1, 2, 3.

x0 x1 gk1 gk2 gk3 x2 gk1 gk2 gk3 x3 gk1 gk2 gk3 x4 gk1 gk2 gk3 x5 gk1 gk2 gk3

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 14 / 21

Let t be such that t ∈ gi

k1(S)

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g?

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g?

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree x′ ... x′

u′−1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree x′ ... x′

u′−1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree x′ ... x′

u′−1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree x′ ... x′

u′−1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree x′ ... x′

u′−1

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree x′ ... x′

u′−1

Finding element in g−i

k1 (t)

C ≈ |S| κ/2

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Let t be such that t ∈ gi

k1(S)

|g−i

k1 (t)| ≈ i · κ/2

|Tree| ≈ i2 · κ/4 x0 ... t g? xu g? g−i

k1 (t)

Collision tree x′ ... x′

u′−1

Finding element in g−i

k1 (t)

C ≈ |S| κ/2 Finding element in collision tree: C ≈ |S| i · κ/4

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 15 / 21

Consequences in Cryptography

Let m = m0||...||mn||0||0||...||0 (a message ending with z 0’s) and d = H(m).

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 16 / 21

Consequences in Cryptography

Let m = m0||...||mn||0||0||...||0 (a message ending with z 0’s) and d = H(m).

• If H is a t-sponge then we can find a preimage for d in time

2c · 2r+2 κ · z .

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 16 / 21

Consequences in Cryptography

Let m = m0||...||mn||0||0||...||0 (a message ending with z 0’s) and d = H(m).

• If H is a t-sponge then we can find a preimage for d in time

2c · 2r+2 κ · z .

• If H is a Davies-Meyer based hashfunctions with internal state size n:
• With padding: preimage found in time 2n+1/κ
• No padding: preimage found in time 2n+2/(z · κ)

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 16 / 21

Consequences in Cryptography

Let m = m0||...||mn||0||0||...||0 (a message ending with z 0’s) and d = H(m).

• If H is a t-sponge then we can find a preimage for d in time

2c · 2r+2 κ · z .

• If H is a Davies-Meyer based hashfunctions with internal state size n:
• With padding: preimage found in time 2n+1/κ
• No padding: preimage found in time 2n+2/(z · κ)
• More?

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 16 / 21

Plan

Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon-64 Conclusion

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 17 / 21

Description of gluon-64

• Lightweight hash function.

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 18 / 21

Description of gluon-64

• Lightweight hash function.
• t-sponge, r = 8, c = 128

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 18 / 21

Description of gluon-64

• Lightweight hash function.
• t-sponge, r = 8, c = 128
• g = Φ ◦ ρd+4 ◦ pad

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 18 / 21

Description of gluon-64

• Lightweight hash function.
• t-sponge, r = 8, c = 128
• g = Φ ◦ ρd+4 ◦ pad

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 18 / 21

Description of gluon-64

• Lightweight hash function.
• t-sponge, r = 8, c = 128
• g = Φ ◦ ρd+4 ◦ pad

Possible (with a SAT-solver) to enumerate the solutions of (ρ10 ◦ pad)(x + a) = (ρ10 ◦ pad)(a)

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 18 / 21

5 10 15 20 0.1 0.2 0.3 0.4 k ck CPS gluon-64 CPS random function

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 19 / 21

5 10 15 20 0.1 0.2 0.3 0.4 k ck CPS gluon-64 CPS random function c1 = 0.065, κ = 6.982 = 22.80 c1 = 0.368, κ = 1.000 = 20

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 19 / 21

5 10 15 20 0.1 0.2 0.3 0.4 k ck CPS gluon-64 CPS random function c1 = 0.065, κ = 6.982 = 22.80 c1 = 0.368, κ = 1.000 = 20 Preimage search for m ending with z zeroes: C = 2c · 2r+2 κ · z = 2c · 147 z

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 19 / 21

Plan

Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon-64 Conclusion

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 20 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

• The cps allows more precise estimations of these.

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

• The cps allows more precise estimations of these.
• More precise flat sponge claim for t-sponge and easier preimage

search = ⇒ Use large bitrate!

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

• The cps allows more precise estimations of these.
• More precise flat sponge claim for t-sponge and easier preimage

search = ⇒ Use large bitrate!

• For gluon-64, preimage for hash of unkown message ending with z

zeroes needs 2c · (147/z).

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

• The cps allows more precise estimations of these.
• More precise flat sponge claim for t-sponge and easier preimage

search = ⇒ Use large bitrate!

• For gluon-64, preimage for hash of unkown message ending with z

zeroes needs 2c · (147/z).

• 500 B of zeroes: C = 2126.2

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

• The cps allows more precise estimations of these.
• More precise flat sponge claim for t-sponge and easier preimage

search = ⇒ Use large bitrate!

• For gluon-64, preimage for hash of unkown message ending with z

zeroes needs 2c · (147/z).

• 500 B of zeroes: C = 2126.2
• 1 MB of zeroes: C = 2115.3

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

• The cps allows more precise estimations of these.
• More precise flat sponge claim for t-sponge and easier preimage

search = ⇒ Use large bitrate!

• For gluon-64, preimage for hash of unkown message ending with z

zeroes needs 2c · (147/z).

• 500 B of zeroes: C = 2126.2
• 1 MB of zeroes: C = 2115.3
• 1 GB of zeroes: C = 2105.3

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21

Conclusion

• Not permutation =

⇒ iterated output shrinking and quadratic collision trees.

• The cps allows more precise estimations of these.
• More precise flat sponge claim for t-sponge and easier preimage

search = ⇒ Use large bitrate!

• For gluon-64, preimage for hash of unkown message ending with z

zeroes needs 2c · (147/z).

• 500 B of zeroes: C = 2126.2
• 1 MB of zeroes: C = 2115.3
• 1 GB of zeroes: C = 2105.3

Thank you!

Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon-64 21 / 21