Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery - - PowerPoint PPT Presentation

cryptanalysis of widea
SMART_READER_LITE
LIVE PREVIEW

Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery - - PowerPoint PPT Presentation

Feb 04, 2024 292 likes •621 views

Introduction 1/24 Gatan Leurent Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013 UCL Crypto Group FSE 2013 Cryptanalysis of WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group

slide-1
SLIDE 1

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

1/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Cryptanalysis of WIDEA

Gaëtan Leurent

UCL Crypto Group

FSE 2013

.

slide-2
SLIDE 2

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

2/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Wide block ciphers

▶ Most block ciphers have a blocksize of 128 bits ▶ 64 bits for lightweight ▶ Sometimes a larger blocksize is useful ▶ More than 264 data with a single key ▶ Large key, very high security ▶ Hash function design

Wide block ciphers

▶ Rijndael: 192/256 ▶ Threefish: 256/512/1024 ▶ WIDEA: 256/512 .

slide-3
SLIDE 3

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

3/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

WIDEA

▶ Wide block cipher based on IDEA ▶ Designed by Junod and Macchetti

[FSE ’09]

▶ Motivation: build a hash function ▶ Expected to inherit the security of IDEA ▶ Full diffusion after one round ▶ Mix incompatible operations: ⊞, ⊕, ⊙, ⊗ ▶ Same number of rounds: 8.5

Previous results

▶ Weak keys

[Nakahara, CANS ’12], [Mendel  al., CTRSA ’13]

▶ Freestart collision (practical)

[Mendel  al., CTRSA ’13]

.

slide-4
SLIDE 4

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

4/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

IDEA

.

. X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . A . B . D . 𝛥 . 𝛦

▶ Lai  Massey 1991 ▶ 16bit words ▶ 64bit block, 128bit key ▶ 8.5 rounds ▶ Based on incompatible

  • perations:

▶ ⊞: modular addition ▶ ⊕: bitwise xor ▶ ⊙: mult. mod 216 + 1 ▶ Unbroken after 20+ years ▶ Weakkeys problems .

slide-5
SLIDE 5

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

5/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

WIDEA

.

. X0,3 . X1,3 . X2,3 . X3,3 . Z0,3 . Z1,3 . Z2,3 . Z3,3 . Z4,3 . Z5,3 . Y0,3 . Y1,3 . Y2,3 . Y3,3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0,0 .X1,0 . X2,0 . X3,0 . Z0,0 . Z1,0 . Z2,0 . Z3,0 . Z4,0 . Z5,0 . Y0,0 . Y1,0 . Y2,0 . Y3,0 . M

▶ Junod  Macchetti 2009 ▶ WIDEAw: w parallel IDEA ▶ MDS matrix for diffusion

across the slices

▶ WIDEA4:

256bit block, 512bit key

▶ WIDEA8:

512bit block, 1024bit key

▶ Efficient SIMD implem. ▶ w 16bit words .

slide-6
SLIDE 6

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

6/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

WIDEA

▶ Wide block cipher based on IDEA ▶ Designed by Junod and Macchetti

[FSE ’09]

▶ Motivation: build a hash function ▶ Expected to inherit the security of IDEA ▶ Full diffusion after one round ▶ Mix incompatible operations: ⊞, ⊕, ⊙, ⊗ ▶ Same number of rounds: 8.5

Previous results

▶ Weak keys

[Nakahara, CANS ’12], [Mendel  al., CTRSA ’13]

▶ Freestart collision (practical)

[Mendel  al., CTRSA ’13]

.

slide-7
SLIDE 7

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

7/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Outline

Introduction Truncated differential Key recovery Hash collisions Conclusion

.

slide-8
SLIDE 8

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

8/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Main idea

▶ Consider differential attack. ▶ Can we keep a single slice active?

. . . .

1R

. . .

▶ Inside the MAD box:

⎛ ⎜ ⎜ ⎜ ⎜ ⎝ . . . .

p=2−16

M/A

. . . . . MDS . . . . . M/A . . . ⎞ ⎟ ⎟ ⎟ ⎟ ⎠

.

slide-9
SLIDE 9

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

9/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Truncated differential trail

.

. X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0,0 .X1,0 . X2,0 . X3,0 . Z0,0 . Z1,0 . Z2,0 . Z3,0 . Z4,0 . Z5,0 . Y0,0 . Y1,0 . Y2,0 . Y3,0 . M

▶ One input slice active

Xi,0 ≠ X′

i,0

Xi,j = Xi,j

▶ Zero difference at the

input of the MDS with probability 2−16

▶ No effect on other slices

Yi,0 ≠ Y′

i,0

Yi,j = Yi,j

.

slide-10
SLIDE 10

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

9/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Truncated differential trail

.

. X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0,0 .X1,0 . X2,0 . X3,0 . Z0,0 . Z1,0 . Z2,0 . Z3,0 . Z4,0 . Z5,0 . Y0,0 . Y1,0 . Y2,0 . Y3,0 . M

▶ One input slice active

Xi,0 ≠ X′

i,0

Xi,j = Xi,j

▶ Zero difference at the

input of the MDS with probability 2−16

▶ No effect on other slices

Yi,0 ≠ Y′

i,0

Yi,j = Yi,j

.

slide-11
SLIDE 11

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

10/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Main idea

▶ Consider differential attack. ▶ Can we keep a single slice active?

. . . .

p=2−16

1R

. . .

▶ Inside the MAD box:

⎛ ⎜ ⎜ ⎜ ⎜ ⎝ . . . .

p=2−16

M/A

. . . . . MDS . . . . . M/A . . . ⎞ ⎟ ⎟ ⎟ ⎟ ⎠

.

slide-12
SLIDE 12

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

10/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Main idea

▶ Consider differential attack. ▶ Can we keep a single slice active?

. . . .

p=2−128

8.5R

. . .

▶ Inside the MAD box:

⎛ ⎜ ⎜ ⎜ ⎜ ⎝ . . . .

p=2−16

M/A

. . . . . MDS . . . . . M/A . . . ⎞ ⎟ ⎟ ⎟ ⎟ ⎠

.

slide-13
SLIDE 13

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

11/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Finding good pairs

▶ Truncated trail for full 8.5 rounds:

. . . .

p=2−128

8.5R

. . .

▶ Use a structure of 264 plaintexts

. . w . x . y . z .

▶ 264 values for one slice ▶ Fixed value for the other slices ▶ 2127 candidate pairs with one active slice 􏿵􏿵w, x, y, z􏿸 , 􏿵w′, x′, y′, z′􏿸􏿸 ▶ One good pair with two structures ▶ Look for collisions in inactive slices ▶ Distinguisher with complexity 265 (succes rate 63%) ▶ Strong filtering: no wrong pairs, can break more than 8 rounds .

slide-14
SLIDE 14

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

12/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Outline

Introduction Truncated differential Key recovery Hash collisions Conclusion

.

slide-15
SLIDE 15

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

13/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Using right pairs: first round

Extract key information form right pairs:

▶ Denote the MDS input as D ▶ A right pair gives D = D′

D = 􏿶􏿵(X0 ⊙ Z0) ⊕ (X2 ⊞ Z2)􏿸 ⊙ Z4􏿹 ⊞ 􏿵(X1 ⊞ Z1) ⊕ (X3 ⊙ Z3)􏿸 D′ = 􏿶􏿵(X′

0 ⊙ Z0) ⊕ (X′ 2 ⊞ Z2)􏿸 ⊙ Z4􏿹 ⊞ 􏿵(X′ 1 ⊞ Z1) ⊕ (X′ 3 ⊙ Z3)􏿸

▶ Filtering Z0, Z1, Z2, Z3, Z4 ▶ 5 pairs should be enough ▶ Experimental results: need 8 pair ▶ One bit cannot be recovered (linear): MSB of Z1 .

slide-16
SLIDE 16

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

14/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Filtering

Filtering: D = D′ 􏿶􏿵(X0 ⊙ Z0) ⊕ (X2 ⊞ Z2)􏿸 ⊙ Z4􏿹 ⊞ 􏿵(X1 ⊞ Z1) ⊕ (X3 ⊙ Z3)􏿸 = 􏿶􏿵(X′

0 ⊙ Z0) ⊕ (X′ 2 ⊞ Z2)􏿸 ⊙ Z4􏿹 ⊞ 􏿵(X′ 1 ⊞ Z1) ⊕ (X′ 3 ⊙ Z3)􏿸

Meetinthemiddle:

▶ Compute F(X, X′, Z0, Z2, Z4) for all Z0, Z2, Z4 ▶ Compute G(X, X′, Z1, Z3) for all Z1, Z3 ▶ Find matches ▶ Complexity: ⋅248 .

slide-17
SLIDE 17

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

14/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Filtering

Filtering: D = D′ 􏿶􏿵(X0 ⊙ Z0) ⊕ (X2 ⊞ Z2)􏿸 ⊙ Z4􏿹 ⊟ 􏿶􏿵(X′

0 ⊙ Z0) ⊕ (X′ 2 ⊞ Z2)􏿸 ⊙ Z4􏿹

= 􏿵(X′

1 ⊞ Z1) ⊕ (X′ 3 ⊙ Z3)􏿸 ⊟ 􏿵(X1 ⊞ Z1) ⊕ (X3 ⊙ Z3)􏿸

Meetinthemiddle:

▶ Compute F(X, X′, Z0, Z2, Z4) for all Z0, Z2, Z4 ▶ Compute G(X, X′, Z1, Z3) for all Z1, Z3 ▶ Find matches ▶ Complexity: ⋅248 .

slide-18
SLIDE 18

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

14/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Filtering

Filtering: D = D′ F(X, X′, Z0, Z2, Z4) = G(X, X′, Z1, Z3) Meetinthemiddle:

▶ Compute F(X, X′, Z0, Z2, Z4) for all Z0, Z2, Z4 ▶ Compute G(X, X′, Z1, Z3) for all Z1, Z3 ▶ Find matches ▶ Complexity: ⋅248 .

slide-19
SLIDE 19

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

15/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Recovering the full first round key

▶ Use a trail for each slice:

. . . .

p=2−128

8.5R

. . . . . . .

p=2−128

8.5R

. . . . . . .

p=2−128

8.5R

. . . . . . .

p=2−128

8.5R

. . .

▶ Attack each slice independantly. ▶ Recover Z0,i, Z1,i, Z2,i, Z3,i, Z4,i. ▶ Complexity: w ⋅ 248 .

slide-20
SLIDE 20

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

16/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Second round

.

. X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0,0 .X1,0 . X2,0 . X3,0 . Z0,0 . Z1,0 . Z2,0 . Z3,0 . Z4,0 . Z5,0 . Y0,0 . Y1,0 . Y2,0 . Y3,0 . M

▶ Guess w missing key bits

(MSB of Z1)

▶ MDS input known (all

slices)

▶ Compute output ▶ Guess Z5 in one slice ▶ Compute input of 2nd

round

▶ Recover 2nd round key:

Z6, Z7, Z8, Z9, Z10

▶ Complexity: w ⋅ 264+w .

slide-21
SLIDE 21

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

16/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Second round

.

. X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0 . X1 . X2 . X3 . Z0 . Z1 . Z2 . Z3 . Z4 . Z5 . Y0 . Y1 . Y2 . Y3 . X0,0 .X1,0 . X2,0 . X3,0 . Z0,0 . Z1,0 . Z2,0 . Z3,0 . Z4,0 . Z5,0 . Y0,0 . Y1,0 . Y2,0 . Y3,0 . M

▶ Guess w missing key bits

(MSB of Z1)

▶ MDS input known (all

slices)

▶ Compute output ▶ Guess Z5 in one slice ▶ Compute input of 2nd

round

▶ Recover 2nd round key:

Z6, Z7, Z8, Z9, Z10

▶ Complexity: w ⋅ 264+w .

slide-22
SLIDE 22

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

17/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Full key recovery

First step: recover K0…4 for 0 ≤ i < w do T ← ∅ for all k1, k3 do G ← 􏿗􏿗

k j=0 Gi(X(i,j), X′(i,j), k1, k3)

T{G} ← (k1, k3) for all k0, k2, k4 do F ← 􏿗􏿗

k j=0 Fi(X(i,j), X′(i,j), k0, k2, k4)

if F ∈ T then k1, k3 ← T{F} K0…4,i ← k0, k1, k2, k3, k4

.

slide-23
SLIDE 23

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

17/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Full key recovery

Second step: recover K5…10 for all K1,i[15] do for 0 ≤ i < w do for all k5 do K5,i ← k5 for all i, k do Y i,k ← R(X (i,k), K) Y′i,k ← R(X′(i,k), K) T ← ∅ for all k1, k3 do G ← 􏿗􏿗

k j=0 Gi(Y(i,j), Y′(i,j), k1, k3)

T{G} ← (k1, k3) for all k0, k2, k4 do F ← 􏿗􏿗

k j=0 Fi(Y(i,j), Y′(i,j), k0, k2, k4)

if F ∈ T then k1, k3 ← T{F} K6…10,i ← k0, k1, k2, k3, k4 goto next i

.

slide-24
SLIDE 24

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

18/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Complexity analysis

▶ Reduce the complexity from w ⋅ 264+w to 268 using a few tricks ▶ Bottleneck is finding good pairs ▶ 8 ⋅ w pairs needed ▶ Data complexity: w ⋅ 268

1 Using a hash table:

▶ Time w ⋅ 268

, Mem 264

2 Store and sort:

▶ Time w ⋅ 274

, Mem 264

3 Timememory tradeoff:

▶ Time 5w ⋅ 268+t/2, Mem 264−t

, Adaptive CP

.

slide-25
SLIDE 25

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

19/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Outline

Introduction Truncated differential Key recovery Hash collisions Conclusion

.

slide-26
SLIDE 26

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

20/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Hash collisions

. Hi−1 . . . . . . . Hi . M . WIDEA

▶ HIDEA512 is WIDEA8 with DaviesMeyer ▶ Use our truncated differential trail

1 Find a 448bit collision Hi−1, H′

i−1

2 Hash random message blocks

▶ With probability 2−128, the trail is followed ▶ With probability 2−64, collision in the feedforward .

slide-27
SLIDE 27

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

20/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Hash collisions

. Hi−1 . . . . . . . Hi . M . WIDEA

▶ HIDEA512 is WIDEA8 with DaviesMeyer ▶ Use our truncated differential trail

1 Find a 448bit collision Hi−1, H′

i−1

2 Hash random message blocks

▶ With probability 2−128, the trail is followed ▶ With probability 2−64, collision in the feedforward .

slide-28
SLIDE 28

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

20/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Hash collisions

. Hi−1 . . . . . . . Hi . M . WIDEA

▶ HIDEA512 is WIDEA8 with DaviesMeyer ▶ Use our truncated differential trail

1 Find a 448bit collision Hi−1, H′

i−1

2 Hash random message blocks

▶ With probability 2−128, the trail is followed ▶ With probability 2−64, collision in the feedforward .

slide-29
SLIDE 29

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

21/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Hash collisions

. Hi−1 . . . . . . . Hi . M . WIDEA Find P, P′ with T448(H(P)) = T448(H(P′)) ▷ Complexity 2224 repeat M ← 𝘚𝘣𝘰𝘦() until H(P‖M) = H(P′‖M) ▷ Complexity 2192

▶ Full hash function collisions with complexity 2224 ▶ Very simple attack! ▶ Independant of the message expansion. ▶ Chosen prefix, meaningful messages, … .

slide-30
SLIDE 30

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

22/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Outline

Introduction Truncated differential Key recovery Hash collisions Conclusion

.

slide-31
SLIDE 31

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

23/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Summary

Truncated differential trail

▶ MDS input too small ▶ Difference stays in a single IDEA instance with probability 2−128 ▶ Strong property, can break more than 8 rounds!

1 Key recovery

▶ Using structures of 264 plaintext ▶ Complexity 270 for WIDEA4 (256bit block, 512bit key) ▶ Complexity 271 for WIDEA8 (512bit block, 1024bit key)

2 Hash collisions

▶ Complexity 2224 for HIDEA512 .

slide-32
SLIDE 32

. .

UCL Crypto Group

.

Microelectronics Laboratory

.

  • G. Leurent

.

Cryptanalysis of WIDEA

.

FSE 2013

.

24/24

. . . . . Introduction . . . . Truncated differential . . . . . . Key recovery . . Hash collisions . . Conclusion

Thanks

Questions?

With the support of ERC project CRASH

.