DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis - - PowerPoint PPT Presentation

DARXplorer

a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe

Bauhaus-University Weimar

22nd April 2009

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31

Agenda

1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer – DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 2 / 31

Agenda

1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer – DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 3 / 31

Introduction to Hash Functions

Hash Functions A hash function H : {0, 1}∗ → {0, 1}n is used to compute an n-bit fingerprint from an arbitrarily-sized input M ∈ {0, 1}∗ Most of them are based on a compression function C : {0, 1}n × {0, 1}m → {0, 1}n with fixed size input Computation: Hi := C(Hi−1, Mi)

C H[0] M[1] C H[1] M[2] C H[L-1] M[L]

. . . . . .

H[L]

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 4 / 31

Introduction to Hash Functions – cont’d

Compression Functions A crucial building block of iterated hash functions is the compression function C Designer often make use of block ciphers Which properties should be imposed on C to guarantee that the hash function satisfies certain properties?

Theorem (Damg˚ ard-Merkle)

If the compression function C is collision-resistant, then the hash function H is collision-resistant as well. If the compression function C is preimage-resistant, then the hash function H is preimage-resistant as well.

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 5 / 31

Introduction to Hash Functions – cont’d

Vulnerability of Hash Functions Black-Box attacks on the compression function

Exploit the way in which multiple compression functions are combined Joux (2004), Kelsey u. Kohno (2006)

Attacks dependent on the internal details of the compression function

Make use of cryptanalytical techniques One of the most successful attacks against block ciphers is Differential Cryptanalysis Used to crypt analyze MD4, MD5 [Wang u. a. (2004)]

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 6 / 31

Introduction to Hash Functions – cont’d

Vulnerability of Hash Functions Black-Box attacks on the compression function

Exploit the way in which multiple compression functions are combined Joux (2004), Kelsey u. Kohno (2006)

Attacks dependent on the internal details of the compression function

Make use of cryptanalytical techniques One of the most successful attacks against block ciphers is Differential Cryptanalysis Used to crypt analyze MD4, MD5 [Wang u. a. (2004)]

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 6 / 31

Agenda

1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer – DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 7 / 31

Introduction to Block Ciphers

One-way compression functions built from block ciphers

E

H m

i-1 i Davies-Meyer

E

H m

i-1 i Matyas-Meyer-Oseas

g

Hi Hi

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 8 / 31

The ThreeFish Block Cipher

Motivation Tweakable block cipher, designed with the purpose to be used as a building block for a hash function Provides speed, flexibility and the ease of analysis to proof security Supports different block sizes (ThreeFish-n); n = 256, 512, 1024 ThreeFish-n supports n-bit blocks and n-bit keys and a 128-bit tweak Usage (Skein) Skein-n uses ThreeFish-n Hi := C(Hi−1, Ti, Mi) :=ThreefishHi−1,Ti(Mi) ⊕ Mi We have to show, that the probability is below 2−2n−128 by providing an upper bound on the probability of the best exclusive-OR difference

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 9 / 31

The ThreeFish Block Cipher

Motivation Tweakable block cipher, designed with the purpose to be used as a building block for a hash function Provides speed, flexibility and the ease of analysis to proof security Supports different block sizes (ThreeFish-n); n = 256, 512, 1024 ThreeFish-n supports n-bit blocks and n-bit keys and a 128-bit tweak Usage (Skein) Skein-n uses ThreeFish-n Hi := C(Hi−1, Ti, Mi) :=ThreefishHi−1,Ti(Mi) ⊕ Mi We have to show, that the probability is below 2−2n−128 by providing an upper bound on the probability of the best exclusive-OR difference

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 9 / 31

The ThreeFish Block Cipher – cont’d

Structure of ThreeFish-256 Non-linear MIX function

• n two 64-bit words

Permutation

Input (A, B, C, D) Output (A, D, C, B)

Key Schedule

Generates subkeys Injects subkeys each 8th round Completely omitted in DARXplorer

PERMUTE MIX MIX A B C D A D C B

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 10 / 31

The ThreeFish Block Cipher – cont’d

MIX Operation Primitives

Addition mod 264, Word-wise rotation, and Bit-wise exclusive-OR

MIX(A, B, c) = (X, Y )

Y = A + B X = (A ≪ c) ⊕ Y A B X Y

<<<

c

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 11 / 31

Agenda

1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer – DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 12 / 31

Differential Cryptanalysis

Differential Cryptanalysis [Biham u. Shamir (1990)] Exploits the high probability of certain occurrences by tracing differences through the network In: (X′, X′′), ∆X = X′ ⊕ X′′ Out: (Y ′, Y ′′), ∆Y = Y ′ ⊕ Y ′′ Ideally randomizing cipher: the probability that a particular

• utput difference ∆Y occurs

given a particular input difference ∆X is 2−n

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 13 / 31

Differential Cryptanalysis – cont’d

Example (DC) Input Difference: ∆P1 = [0000 1011 0000 0000] Difference-Pair for S-Box: S12 : ∆X = B → ∆Y = 2 with probability p1 = 1/2 Output Difference: ∆V1 = [0000 0010 0000 0000] Try to find r-round characteristics!

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 14 / 31

Differential Cryptanalysis of ThreeFish

Differential Cryptanalysis of ThreeFish We need to make assumptions about the differential properties of the primitives Differential exclusive-OR

δw = δu ⊕ δv Pr[δw] = 1.0

Differential rotations

t = u ≪ i, t′ = (u ⊕ δu) ≪ i δt = t ⊕ t′ = δu ≪ i Pr[δt] = 1.0

Differential addition

Evaluating the differential properties

• f addition with respect to

exclusive-OR is hard

A B X Y

<<<

c

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 15 / 31

Differential Cryptanalysis of ThreeFish

Differential Cryptanalysis of ThreeFish We need to make assumptions about the differential properties of the primitives Differential exclusive-OR

δw = δu ⊕ δv Pr[δw] = 1.0

Differential rotations

t = u ≪ i, t′ = (u ⊕ δu) ≪ i δt = t ⊕ t′ = δu ≪ i Pr[δt] = 1.0

Differential addition

Evaluating the differential properties

• f addition with respect to

exclusive-OR is hard

A B X Y

<<<

c

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 15 / 31

Differential Cryptanalysis of ThreeFish

Differential Cryptanalysis of ThreeFish We need to make assumptions about the differential properties of the primitives Differential exclusive-OR

δw = δu ⊕ δv Pr[δw] = 1.0

Differential rotations

t = u ≪ i, t′ = (u ⊕ δu) ≪ i δt = t ⊕ t′ = δu ≪ i Pr[δt] = 1.0

Differential addition

Evaluating the differential properties

• f addition with respect to

exclusive-OR is hard

A B X Y

<<<

c

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 15 / 31

Differential Cryptanalysis of ThreeFish – cont’d

Computing the Differential Properties of Addition [Lipmaa u. Moriai (2001)] Due to the lack of theory it was hard to evaluate the security of ciphers that employ both exclusive-OR and addition Compute the probability that, given input differences δu and δv result in the output difference δs

DP +(δu, δv → δs) Θ(log n) (worst-case), Θ(1) + t (average)

Compute all “good” output differentials in a deterministic way

DP +

max(δu, δv) = maxδs{DP +(δu, δv → δs)}

Θ(log n)

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 16 / 31

Differential Cryptanalysis of ThreeFish – cont’d

Computing the Differential Properties of Addition [Lipmaa u. Moriai (2001)] Due to the lack of theory it was hard to evaluate the security of ciphers that employ both exclusive-OR and addition Compute the probability that, given input differences δu and δv result in the output difference δs

DP +(δu, δv → δs) Θ(log n) (worst-case), Θ(1) + t (average)

Compute all “good” output differentials in a deterministic way

DP +

max(δu, δv) = maxδs{DP +(δu, δv → δs)}

Θ(log n)

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 16 / 31

Differential Cryptanalysis of ThreeFish – cont’d

Computing the Differential Properties of Addition [Lipmaa u. Moriai (2001)] Due to the lack of theory it was hard to evaluate the security of ciphers that employ both exclusive-OR and addition Compute the probability that, given input differences δu and δv result in the output difference δs

DP +(δu, δv → δs) Θ(log n) (worst-case), Θ(1) + t (average)

Compute all “good” output differentials in a deterministic way

DP +

max(δu, δv) = maxδs{DP +(δu, δv → δs)}

Θ(log n)

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 16 / 31

Differential Cryptanalysis of ThreeFish – cont’d

Recap Regard input and output differences

• f the ThreeFish building blocks

MIX operation Permutation ⇒ A complete round

Try to find r-round characteristics

PERMUTE MIX MIX A B C D A D C B

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 17 / 31

Agenda

1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer – DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 18 / 31

DARXplorer – An Introduction

DARXplorer [Lucks (2008)] Provides automatic differential cryptanalysis (DC) Currently supports the DC of primitives which use a mixture of

Addition modulo 2n, Word-wise rotations, and Bit-wise exclusive-OR

Attempts to find “good” exclusive-OR differentials Use Cases Analyzing existing ciphers to find (new) attacks Aiding the designer of new ciphers to defend against attacks

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 19 / 31

DARXplorer – An Introduction

DARXplorer [Lucks (2008)] Provides automatic differential cryptanalysis (DC) Currently supports the DC of primitives which use a mixture of

Addition modulo 2n, Word-wise rotations, and Bit-wise exclusive-OR

Attempts to find “good” exclusive-OR differentials Use Cases Analyzing existing ciphers to find (new) attacks Aiding the designer of new ciphers to defend against attacks

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 19 / 31

DARXplorer – Differential Cryptanalysis

General Approach

1 Apply a low hamming weight (wh ≤ 3) to δmid 2 Start in the middle with δmid 3 Go backwards rin rounds to find δin with probability pin 4 Go forwards rout rounds to find δout with probability pout 5 Result: (rin +rout)-round characteristic with probability p = pin ×pout

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 20 / 31

DARXplorer – Differential Cryptanalysis cont’d

Implementation of three different techniques Lazy Laura

Naive approach, very fast Addition is replaced by exclusive-OR No carry bits – disregards many “good” differentials

Greedy Grete

Studies all the most probable output differences (locally) Does not scale very well, runtime grows exponentially Does not account for differentials with non-optimal probability

Pedantic Petra

Studies all output differences with non-zero probability Always traces the characteristic with the best probability Desired approach

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 21 / 31

DARXplorer – Differential Cryptanalysis cont’d

Implementation of three different techniques Lazy Laura

Naive approach, very fast Addition is replaced by exclusive-OR No carry bits – disregards many “good” differentials

Greedy Grete

Studies all the most probable output differences (locally) Does not scale very well, runtime grows exponentially Does not account for differentials with non-optimal probability

Pedantic Petra

Studies all output differences with non-zero probability Always traces the characteristic with the best probability Desired approach

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 21 / 31

DARXplorer – Differential Cryptanalysis cont’d

Implementation of three different techniques Lazy Laura

Naive approach, very fast Addition is replaced by exclusive-OR No carry bits – disregards many “good” differentials

Greedy Grete

Studies all the most probable output differences (locally) Does not scale very well, runtime grows exponentially Does not account for differentials with non-optimal probability

Pedantic Petra

Studies all output differences with non-zero probability Always traces the characteristic with the best probability Desired approach

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 21 / 31

DARXplorer – Differential Cryptanalysis cont’d

Implementation of three different techniques Lazy Laura

Naive approach, very fast Addition is replaced by exclusive-OR No carry bits – disregards many “good” differentials

Greedy Grete

Studies all the most probable output differences (locally) Does not scale very well, runtime grows exponentially Does not account for differentials with non-optimal probability

Pedantic Petra

Studies all output differences with non-zero probability Always traces the characteristic with the best probability Desired approach

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 21 / 31

DARXplorer – Differential Cryptanalysis cont’d

Pedantic Petra

r

1/2 1/5 1/2 1/8

δ r

mid in

• ut

Differential Pair Backward Forward

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 22 / 31

DARXplorer – Implementation Details

DARXplorer – Implementation Details Used Ada 2005 as the main programming language Provides an easy to use interface to process DC Offer a clean documentation about found r-round characteristics Limited in flexibility due to former dictation to ThreeFish

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 23 / 31

DARXplorer – Implementation Details – cont’d

Construction of Lazy Laura 256-bit

package Lazy Laura 256 i s package P r i m i t i v e L i b r a r y i s new Modular Package ( Modular Types . Unsigned 64 ) ; package Common Mix Operation i s new Mix Operation ( P r i m i t i v e L i b r a r y ) ; package Concrete Mix Operation i s new Common Mix Operation . LL ; package Generic Round Function i s new Round Function ( Generic Mix Operation = > Common Mix Operation , I n h e r i t e d M i x O p e r a t i o n = > Concrete Mix Operation . Lazy Laura , Message Block = > T h r e e f i s h . TF 256 ) ; package Generic Toolbox i s new Toolbox ( Concrete Round Function = > Generic Round Function ) ; package Concrete Toolbox i s new Generic Toolbox . Lazy Laura ; Laura Toolbox 256 : Concrete Toolbox . Object ; end Lazy Laura 256 ; Dennis Hoppe (BUW) DARXplorer 22nd April 2009 24 / 31

DARXplorer – Implementation Details – cont’d

MIX operation (Lazy Laura)

package body Mix Operation . LL i s procedure Solve Forward ( Operation : i n Lazy Laura ; Delta B , Delta A : i n Modular Type ; Delta Y , Delta X : i n

• ut

Modular Type ; P r o b a b i l i t y : i n

• ut

C o n d i t i o n e d F l o a t ; Round Offset : i n P o s i t i v e ) i s B Rotated : Modular Type := Delta B ; begin DP Xor . Solve ( Delta B , Delta A , Delta X , P r o b a b i l i t y ) ; DP Left Rotation . Solve ( B Rotated , Rotation Constants , Round Offset ) ; DP Xor . Solve ( B Rotated , Delta X , Delta Y , P r o b a b i l i t y ) ; DP Addition . D i f f e r e n t i a l P r o b a b i l i t y ( Delta B , Delta A , Delta X , P r o b a b i l i t y ) ; end Solve Forward ; [ . . ] end Mix Operation . LL ; Dennis Hoppe (BUW) DARXplorer 22nd April 2009 25 / 31

Agenda

1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer – DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 26 / 31

Results

Parametrization ThreeFish-256, ThreeFish-512, ThreeFish-1024 Vary the starting round from 1 to 80 in steps of 8 rounds Modify the hamming weight wh of δmid from 1 to 3 Proceed with all possible δmid having the given wh

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 27 / 31

Results – cont’d

Results from the analyzation of ThreeFish-256 Lazy Laura (LL) – open file Greedy Grete (GG) – open file Pedantic Petra (PP) – open file Challenges Fixed structure bound to ThreeFish – need for generalization Cryptanalysis takes very very very long for GG and PP

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 28 / 31

Results – cont’d

Results from the analyzation of ThreeFish-256 Lazy Laura (LL) – open file Greedy Grete (GG) – open file Pedantic Petra (PP) – open file Challenges Fixed structure bound to ThreeFish – need for generalization Cryptanalysis takes very very very long for GG and PP

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 28 / 31

Agenda

1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer – DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 29 / 31

Generalization of DARXplorer

Ideas to generalize DARXplorer Provide a simple to use grammar to declare a cipher Specify declaration as plaintext or XML-based – open file Compiler-based approach

1 Script → Lexical Analysis → Vocabulary 2 Vocabulary → Syntactical Analysis → Syntax 3 Syntax → Code-Generation → Machine Code

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 30 / 31

Referenzen

[Biham u. Shamir 1990] Biham, E. ; Shamir, A.: Differential Cryptanalysis of DES-Like Cryptosystem. In: Advances in Cryptology - CRYPT ’90. Springer, 1990 (Lecture Notes in Computer Science), S. 2–21 [Joux 2004] Joux, A: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Advances in Cryptology-Crypto 2004: 24th Annual . . . (2004), Jan [Kelsey u. Kohno 2006] Kelsey, J ; Kohno, T: Herding Hash Functions and the Nostradamus Attack. In: Advances in Cryptology-Eurocrypt (2006), Jan. http://www.springerlink.com/index/y6351403418l141q.pdf [Lipmaa u. Moriai 2001] Lipmaa, H ; Moriai, S: Efficient Algorithms for Computing Differential Properties of Addition. In: Fast Software Encryption 2355 (2001), S. 336–350 [Lucks 2008] Lucks, Stefan: DARX Finder 4 Threefish. (2008), May, S. 11 [Wang u. a. 2004] Wang, X ; Feng, D ; Lai, X ; Yu, H: Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. In: Short talk presented at CRYPTO (2004). http://www.paper.edu.cn/downloadpaper.php? serial_number=wangxiaoyun-2&type=2

Dennis Hoppe (BUW) DARXplorer 22nd April 2009 31 / 31