Differential Cryptanalysis of Hash Functions: How to find - - PowerPoint PPT Presentation

Institute for Applied Information Processing and Communications (IAIK)

Differential Cryptanalysis of Hash Functions: How to find Collisions?

Martin Schl¨ affer

Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria

martin.schlaeffer@iaik.tugraz.at

Albena 2011

Albena Hash Function Cryptanalysis I 1

Institute for Applied Information Processing and Communications (IAIK)

Outline

1

Motivation

2

Collision Attacks

3

Differential Cryptanalysis of Hash Functions Application to SHA-1

4

The Rebound Attack Application to Whirlpool Application to Grøstl

5

Conclusion

Albena Hash Function Cryptanalysis I 2

Institute for Applied Information Processing and Communications (IAIK)

Outline

1

Motivation

2

Collision Attacks

3

Differential Cryptanalysis of Hash Functions Application to SHA-1

4

The Rebound Attack Application to Whirlpool Application to Grøstl

5

Conclusion

Albena Hash Function Cryptanalysis I 3

Institute for Applied Information Processing and Communications (IAIK)

Motivation

Cryptanalysis of block ciphers: well understood Cryptanalysis of hash functions: not so much

hash functions were attacked like block ciphers

⇒ Attacks on MD-family by Wang et al. broke SHA-1 NIST SHA-3 competition

to find a successor of SHA-1 to focus research on hash function cryptanalysis

Albena Hash Function Cryptanalysis I 4

Institute for Applied Information Processing and Communications (IAIK)

Cryptographic Hash Function

m h h(m)

Hash function h maps arbitrary length input m to n-bit output h(m) Collision Resistance (2n/2)

find m, m′ with m = m′ and h(m) = h(m′)

Second-Preimage Resistance (2n)

given m, h(m) find m′ with m = m′ and h(m) = h(m′)

Preimage Resistance (2n)

given h(m) find m

Albena Hash Function Cryptanalysis I 5

Institute for Applied Information Processing and Communications (IAIK)

Iterated Hash Function Construction

IV f M1

w

f M2

w

f M3

w

f Mt

w

g H(m)

n

Most hash functions use some kind of iteration

compression function f

• utput transformation g

chaining value size w ≥ n

Strength depends on f, g, w

smaller w needs stronger f

Also building blocks are analyzed

Albena Hash Function Cryptanalysis I 6

Institute for Applied Information Processing and Communications (IAIK)

Outline

1

Motivation

2

Collision Attacks

3

Differential Cryptanalysis of Hash Functions Application to SHA-1

4

The Rebound Attack Application to Whirlpool Application to Grøstl

5

Conclusion

Albena Hash Function Cryptanalysis I 7

Institute for Applied Information Processing and Communications (IAIK)

Collision Attacks

m h h(m) m∗ h h(m∗) = = Find two different messages which result in the same hash value: m = m∗ with h(m) = h(m∗) birthday effect applies: 2n/2

Albena Hash Function Cryptanalysis I 8

Institute for Applied Information Processing and Communications (IAIK)

Collision Attacks (Differential View)

m h h(m) m∗ h h(m∗) − − ∆m = 0 h ∆h(m) = 0 = = Find two different messages which result in the same hash m, ∆m with ∆m = 0 and ∆h(m) = 0 Usually XOR differences are used: ∆m = m ⊕ m∗ and ∆h(m) = h(m) ⊕ h(m∗)

Albena Hash Function Cryptanalysis I 9

Institute for Applied Information Processing and Communications (IAIK)

Outline

1

Motivation

2

Collision Attacks

3

Differential Cryptanalysis of Hash Functions Application to SHA-1

4

The Rebound Attack Application to Whirlpool Application to Grøstl

5

Conclusion

Albena Hash Function Cryptanalysis I 10

Institute for Applied Information Processing and Communications (IAIK)

Differential Characteristic

∆m = 0 h ? ∆h(m) = 0 how to find m, ∆m? find differential characteristic (trail, path)

determines ∆m holds with high probability P

if P > 2−n/2:

find colliding m by trying 1/P random messages with complexity < 2n/2

Albena Hash Function Cryptanalysis I 11

Institute for Applied Information Processing and Communications (IAIK)

Differential Characteristic

∆m = 0 h ? ∆h(m) = 0 how to find m, ∆m? find differential characteristic (trail, path)

determines ∆m holds with high probability P

if P > 2−n/2:

find colliding m by trying 1/P random messages with complexity < 2n/2

⇒ how to improve complexity of attack? ⇒ how to find good differential characteristics?

Albena Hash Function Cryptanalysis I 11

Institute for Applied Information Processing and Communications (IAIK)

How to Improve Complexity of Attack?

∆m = 0 h ∆h(m) = 0 Good characteristic for block ciphers:

• ptimizes probability

Good characteristic for hash functions

• ptimizes probability

minimizes effort to find m

How to find m?

no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic

Albena Hash Function Cryptanalysis I 12

Institute for Applied Information Processing and Communications (IAIK)

How to Improve Complexity of Attack?

∆m = 0 h ∆h(m) = 0 Good characteristic for block ciphers:

• ptimizes probability

Good characteristic for hash functions

• ptimizes probability

minimizes effort to find m

How to find m?

no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic

⇒ characteristic with lower probability at input to get higher probability towards end

Albena Hash Function Cryptanalysis I 12

Institute for Applied Information Processing and Communications (IAIK)

How to Find Good Differential Characteristics?

block cipher based design:

use characteristic of block cipher attack (also related key characteristics)

by hand:

MD4, MD5, SHA-1 (Wang et al.)

(semi-) automatic tools:

linearize hash function (coding tools) non-linear differential search

by design:

well known best characteristics

Albena Hash Function Cryptanalysis I 13

Institute for Applied Information Processing and Communications (IAIK)

Example: SHA-1

high probability in second part (L)

linearize hash function [RO05] search for linear differential characteristic using low weight code search

connect with IV in first part (NL)

low probability search for non-linear characteristic [WYY05, DR06]

message modification

easy for first 16 steps (just invert equation) also possible for more steps (≤ 25) (advanced message modification)

Albena Hash Function Cryptanalysis I 14

Institute for Applied Information Processing and Communications (IAIK)

Finding Linear Characteristics

Message expansion is linear Linearize modular addition by XOR

no carry with probability 1/2

Linearize Boolean function by XOR

holds with probability ∼ 1/2

Probabilities are given for single bit differences

Albena Hash Function Cryptanalysis I 15

Institute for Applied Information Processing and Communications (IAIK)

Finding Linear Characteristics

Differences with low Hamming weight result in good probability Finding good linear characteristic corresponds to finding low-weight code word in linear code Good representation of hash function is important Open source tool to find low weight code words: http://www.iaik.tugraz.at/content/research/ krypto/codingtool/

Albena Hash Function Cryptanalysis I 16

Institute for Applied Information Processing and Communications (IAIK)

Finding Non-Linear Characteristics [DR06]

Using generalized conditions

Albena Hash Function Cryptanalysis I 17

Institute for Applied Information Processing and Communications (IAIK)

Finding Non-Linear Characteristics [DR06]

Determine message difference and difference after step 16

using linear tool

Albena Hash Function Cryptanalysis I 18

Institute for Applied Information Processing and Communications (IAIK)

Finding Non-Linear Characteristics [DR06]

Determine message difference and difference after step 16

using linear tool

Find propagation of differences

using non-linear tool

Albena Hash Function Cryptanalysis I 18

Institute for Applied Information Processing and Communications (IAIK)

Finding Non-Linear Characteristics [DR06]

Determine message difference and difference after step 16

using linear tool

Find propagation of differences

using non-linear tool

Add conditions to control diff.

no probability needed here

Albena Hash Function Cryptanalysis I 18

Institute for Applied Information Processing and Communications (IAIK)

Finding Non-Linear Characteristics [DR06]

Determine message difference and difference after step 16

using linear tool

Find propagation of differences

using non-linear tool

Add conditions to control diff.

no probability needed here

Find conforming message pair

message mod. until step 25 probabilistic for further steps

Albena Hash Function Cryptanalysis I 18

Institute for Applied Information Processing and Communications (IAIK)

Message Modification

To improve complexity of attack in first few steps

up to 25 in the case of SHA-1

Many dedicated techniques have been published:

advanced message modifications [WYY05] equation solving [SKPI07] neutral bits [BC04] boomerang/tunnels [JP07, Kli06] greedy approach [DMR07]

Resulting theoretical complexity for SHA-1: ∼ 263 [WYY05]

implementation overhead!

Albena Hash Function Cryptanalysis I 19

Institute for Applied Information Processing and Communications (IAIK)

Outline

1

Motivation

2

Collision Attacks

3

Differential Cryptanalysis of Hash Functions Application to SHA-1

4

The Rebound Attack Application to Whirlpool Application to Grøstl

5

Conclusion

Albena Hash Function Cryptanalysis I 20

Institute for Applied Information Processing and Communications (IAIK)

The Rebound Attack [MRST09]

One more tool in the cryptanalysis of hash functions Invented during the cryptanalysis of Whirlpool and Grøstl

AES-based designs allow a simple application of the idea

Related work:

truncated differentials inside-out techniques meet-in-the-middle techniques message modification ...

Has been applied to a wide range of hash functions

Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ...

Albena Hash Function Cryptanalysis I 21

Institute for Applied Information Processing and Communications (IAIK)

The Rebound Attack

Ebw Ein Efw

inbound

• utbound
• utbound

Applies to block-cipher and permutation based designs: E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw Inbound phase

efficient meet-in-the-middle phase in Ein aided by available degrees of freedom

Outbound phase

probabilistic part in Ebw and Efw repeat inbound phase if needed

Albena Hash Function Cryptanalysis I 22

Institute for Applied Information Processing and Communications (IAIK)

The Whirlpool Hash Function

Designed by Barretto and Rijmen in 2000 [BR00]

evaluated by NESSIE standardized by ISO/IEC 10118-3:2003

Iterative hash function based on the Merkle-Damg˚ ard design principle message block, chaining values, hash size: 512 bit

IV f M1 f M2 f M3 f Mt H(m)

Albena Hash Function Cryptanalysis I 23

Institute for Applied Information Processing and Communications (IAIK)

The Whirlpool Compression Function

Mj Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

512-bit hash value and using 512-bit message blocks Block-cipher based design (AES)

Miyaguchi-Preneel mode with conservative key schedule

Albena Hash Function Cryptanalysis I 24

Institute for Applied Information Processing and Communications (IAIK)

The Whirlpool Round Transformations

The state update and the key schedule update an 8 × 8 state S and K of 64 bytes 10 rounds each AES like round transformation ri = AK ◦ MR ◦ SC ◦ SB

SubBytes ShiftColumns MixRows AddRoundKey Ki

S(x)

+

Albena Hash Function Cryptanalysis I 25

Institute for Applied Information Processing and Communications (IAIK)

Collision Attack on Whirlpool

Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

Mj

1-block collision:

fixed Hj−1 (to IV) f(Mj, Hj−1) = f(M∗

j , Hj−1), Mj = M∗ j

Albena Hash Function Cryptanalysis I 26

Institute for Applied Information Processing and Communications (IAIK)

Collision Attack on Whirlpool

Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

∆Mj

1-block collision:

fixed Hj−1 (to IV) f(Mj, Hj−1) = f(M∗

j , Hj−1), Mj = M∗ j

Albena Hash Function Cryptanalysis I 26

Institute for Applied Information Processing and Communications (IAIK)

Collision Attack on 4 Rounds

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AC SB SC MR AC

S0 S1 S2 S3 S4 K0 K1 K2 K3 K4 M1 IV H1

Differential trail with minimum number of active S-boxes

81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: (2−5)81 = 2−405

Albena Hash Function Cryptanalysis I 27

Institute for Applied Information Processing and Communications (IAIK)

Collision Attack on 4 Rounds

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AC SB SC MR AC

S0 S1 S2 S3 S4 K0 K1 K2 K3 K4 M1 IV H1

constant Differential trail with minimum number of active S-boxes

81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: (2−5)81 = 2−405

Albena Hash Function Cryptanalysis I 27

Institute for Applied Information Processing and Communications (IAIK)

Collision Attack on 4 Rounds

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AC SB SC MR AC

S0 S1 S2 S3 S4 K0 K1 K2 K3 K4 M1 IV H1

constant Differential trail with minimum number of active S-boxes

81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: (2−5)81 = 2−405

How to find a message pair following the differential trail?

Albena Hash Function Cryptanalysis I 27

Institute for Applied Information Processing and Communications (IAIK)

First: Use Truncated Differences

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

byte-wise truncated differences: active / not active

we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2−56 for 8 → 1

we can remove many restrictions (more freedom)

hopefully less complexity of message search

Albena Hash Function Cryptanalysis I 28

Institute for Applied Information Processing and Communications (IAIK)

How to Find a Message Pair?

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

message modification?

Albena Hash Function Cryptanalysis I 29

Institute for Applied Information Processing and Communications (IAIK)

How to Find a Message Pair?

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

message modification? inside out?

Albena Hash Function Cryptanalysis I 29

Institute for Applied Information Processing and Communications (IAIK)

How to Find a Message Pair?

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

message modification? inside out? meet in the middle?

Albena Hash Function Cryptanalysis I 29

Institute for Applied Information Processing and Communications (IAIK)

How to Find a Message Pair?

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

message modification? inside out? meet in the middle? rebound!

Albena Hash Function Cryptanalysis I 29

Institute for Applied Information Processing and Communications (IAIK)

Rebound Attack on 4 Rounds [MRST09]

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

• utbound phase

inbound phase

• utbound phase

Inbound phase

(1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state

Outbound phase

(3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward

Albena Hash Function Cryptanalysis I 30

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

get values

(1) Start with arbitrary differences in state SMR

3

we get ∼ 264 right pairs with complexity ∼ 28

Albena Hash Function Cryptanalysis I 31

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

we get ∼ 264 right pairs with complexity ∼ 28

Albena Hash Function Cryptanalysis I 31

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

we get ∼ 264 right pairs with complexity ∼ 28

Albena Hash Function Cryptanalysis I 31

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd ?

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences match differences get values get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

(2) Match-in-the-middle at SubBytes layer

check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row

we get ∼ 264 right pairs with complexity ∼ 28

Albena Hash Function Cryptanalysis I 31

Institute for Applied Information Processing and Communications (IAIK)

Difference Distribution Table (Whirlpool)

in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 6 2 6 2 4 02 2 4 03 2 2 2 2 2 2 04 2 2 4 2 2 2 2 2 05 2 2 4 2 06 . 4 2 2 2 6 2 4 2 2 . 07 . 2 2 2 4 2 2 2 . 08 . 2 2 2 2 2 4 4 . 09 8 2 4 2 2 2 2 0a 2 2 2 2 0b 8 2 2 2 2 2 2 2 2 2 4 0c 2 2 4 2 2 2 4 2 0d 2 2 2 4 4 2 2 2 0e 4 4 2 2 2 4 2 0f 2 2 2 2 2 . . .

Albena Hash Function Cryptanalysis I 32

Institute for Applied Information Processing and Communications (IAIK)

Match-in-the-Middle for Single S-box

Sbox ∆a ∆b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b Solve equation for all x and count the number of solutions:

25880/65025 entries (with ∆a, ∆b = 0) in DDT are nonzero match with probability 0.398 we get either 2, 4, 6 or 8 values 65280 values for 25880 possible differentials 2.522 values (right pairs) on average

Albena Hash Function Cryptanalysis I 33

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd ?

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

(2) Match-in-the-middle at SubBytes layer

check if differences can be connected (for each S-box)

Albena Hash Function Cryptanalysis I 34

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences match differences get values get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

(2) Match-in-the-middle at SubBytes layer

check if differences can be connected (for each S-box) with probability 2−10.6 we get 210.7 solutions for each row

Albena Hash Function Cryptanalysis I 34

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences match differences get values get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

(2) Match-in-the-middle at SubBytes layer

check if differences can be connected (for each S-box) with probability 2−10.6 we get 210.7 solutions for each row

⇒ we get ∼ 28·10.7 right pairs with complexity < 216

Albena Hash Function Cryptanalysis I 34

Institute for Applied Information Processing and Communications (IAIK)

Outbound Phase

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

• utbound

2−56 inbound average 1

• utbound

2−56

(3) Propagate through MixRows of round 1 and round 4

using truncated differences (active bytes: 8 → 1) probability: 2−56 in each direction

(4) Match difference in one active byte of feed-forward (2−8) ⇒ collision for 4 rounds of Whirlpool with complexity 2120

Albena Hash Function Cryptanalysis I 35

Institute for Applied Information Processing and Communications (IAIK)

Extending the Attack to 5 Rounds [LMR+09]

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

• utbound

2−56 inbound average 1

• utbound

2−56

By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds The outbound phase is identical to the attack on 4 rounds

probability: 2−120

⇒ Construct 2120 starting points in the inbound phase with average complexity 1

Albena Hash Function Cryptanalysis I 36

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd match

SSC

2

S2 SSB

3

SMR

3

MR AK SC SB MR AK SB SC MR

differences 264 differences differences match differences

(1) Start with arbitrary differences in state SMR

3

and SSB

3

(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)

similar to 64-bit S-box (DDT has size 2128)

Albena Hash Function Cryptanalysis I 37

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd match

SSC

2

S2 SSB

3

SMR

3

MR AK SC SB MR AK SB SC MR

differences 264 differences 264 differences differences match differences 264 values/differences

(1) Start with arbitrary differences in state SMR

3

and SSB

3

we need to propagate all 264 differences backward at once

(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)

similar to 64-bit S-box (DDT has size 2128) time-memory trade-off with time/memory 264

Albena Hash Function Cryptanalysis I 37

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee eeee9fee2371c1cd

SSC

2

S2 SSB

3

SMR

3

MR AK SC SB MR AK SB SC MR

differences 264 differences 264 differences differences match differences 264 values/differences

(1) Start with arbitrary differences in state SMR

3

and SSB

3

we need to propagate all 264 differences backward at once

(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)

similar to 64-bit S-box (DDT has size 2128) time-memory trade-off with time/memory 264

⇒ with complexity 264 we get at least 264 pairs

Albena Hash Function Cryptanalysis I 37

Institute for Applied Information Processing and Communications (IAIK)

From Collisions to Near-Collisions

S0 S1 S2 S3 S4 S5 S6 S7

AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB

1 2−56 average 1 2−56 1

Add one round at input and output

no additional complexity MixRows: 1 → 8 with probability 1

⇒ Near-collision attack for 7 rounds

time complexity 2112 and 264 memory

Albena Hash Function Cryptanalysis I 38

Institute for Applied Information Processing and Communications (IAIK)

Compression Function Attacks

Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

∆Mj

We can freely choose the chaining input Hj−1

no differences in Hj−1 semi-free-start (near-) collisions

Extend previous attacks by 2 rounds

using multiple inbound phases

Outbound phases of attacks stay the same

Albena Hash Function Cryptanalysis I 39

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

Idea:

use two independent inbound phases

Albena Hash Function Cryptanalysis I 40

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK 1st inbound phase

Idea:

use two independent inbound phases

Albena Hash Function Cryptanalysis I 40

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK 1st inbound phase 2nd inbound phase

Idea:

use two independent inbound phases

Albena Hash Function Cryptanalysis I 40

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK 1st inbound phase connect 2nd inbound phase

Idea:

use two independent inbound phases connect them using 512-bit freedom of key input (S3 = SMR

2

⊕ K3)

Albena Hash Function Cryptanalysis I 40

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK 1st inbound phase connect 2nd inbound phase

Idea:

use two independent inbound phases connect them using 512-bit freedom of key input (S3 = SMR

2

⊕ K3)

A bit more tricky than that (3 key inputs involved)

connect rows independently find 264 solutions with complexity 2128

Albena Hash Function Cryptanalysis I 40

Institute for Applied Information Processing and Communications (IAIK)

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK 1st inbound phase connect 2nd inbound phase

Idea:

use two independent inbound phases connect them using 512-bit freedom of key input (S3 = SMR

2

⊕ K3)

A bit more tricky than that (3 key inputs involved)

connect rows independently find 264 solutions with complexity 2128

⇒ Collision on 7 and near-collision on 9 rounds

Albena Hash Function Cryptanalysis I 40

Institute for Applied Information Processing and Communications (IAIK)

Summary of Results on Whirlpool

target rounds computational memory type complexity requirements hash 5 2184−s 2s collision function 7 2176−s 2s near-collision compression 7 2184 264 collision function 9 2176 264 near-collision

Albena Hash Function Cryptanalysis I 41

Institute for Applied Information Processing and Communications (IAIK)

Summary of Results on Whirlpool

target rounds computational memory type complexity requirements hash 5.5 2184−s 2s collision function 7.5 2176−s 2s near-collision compression 7.5 2184 264 collision function 9.5 2176 264 near-collision

Albena Hash Function Cryptanalysis I 41

Institute for Applied Information Processing and Communications (IAIK)

Summary of Results on Whirlpool

target rounds computational memory type complexity requirements hash 5.5 2184−s 2s collision function 7.5 2176−s 2s near-collision compression 7.5 2184 264 collision function 9.5 2176 264 near-collision 10 2188 264 distinguisher

Albena Hash Function Cryptanalysis I 41

Institute for Applied Information Processing and Communications (IAIK)

Open Problems

∆Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

∆Mj

Using differences also in the chaining input Combination of:

related-key attacks on block ciphers local collisions rebound attack

Albena Hash Function Cryptanalysis I 42

Institute for Applied Information Processing and Communications (IAIK)

The SHA-3 Candidate Grøstl [GKM+11]

Hi−1 Hi

P Q

Mi

SHA-3 finalist AES-based hash function Permutation based design Designed by DTU (Denmark) and TU Graz (Austria)

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schl¨ affer, Søren

• S. Thomsen

Albena Hash Function Cryptanalysis I 43

Institute for Applied Information Processing and Communications (IAIK)

Permutations P and Q of Grøstl

Q: P:

0i1i2i3i4i5i6i7i

AddRoundConstant

fieidicibiai9i8i ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff S

SubBytes

S

ShiftRows MixColumns

AES like round transformations

8 × 8 state and 10 rounds for Grøstl-256 8 × 16 state and 14 rounds for Grøstl-512

Based on design principles of AES

not using AES as a direct building block better diffusion, wider trails

Albena Hash Function Cryptanalysis I 44

Institute for Applied Information Processing and Communications (IAIK)

The Rebound Attack on Grøstl

P0 P1 P2 P3 P4 P5 P6 P7 P8

AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB

1 2−56 average 1 2−56 1 1

1) Construct optimal truncated differential path

by hand, well-known how to find right pairs?

Albena Hash Function Cryptanalysis I 45

Institute for Applied Information Processing and Communications (IAIK)

The Rebound Attack on Grøstl

P0 P1 P2 P3 P4 P5 P6 P7 P8

AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB

1 2−56 average 1 2−56 1 1

1) Construct optimal truncated differential path

by hand, well-known how to find right pairs?

2) Inbound phase

three rounds with average complexity 1 using SuperBox time-memory trade-offs

Albena Hash Function Cryptanalysis I 45

Institute for Applied Information Processing and Communications (IAIK)

The Rebound Attack on Grøstl

P0 P1 P2 P3 P4 P5 P6 P7 P8

AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB

1 2−56 average 1 2−56 1 1

1) Construct optimal truncated differential path

by hand, well-known how to find right pairs?

2) Inbound phase

three rounds with average complexity 1 using SuperBox time-memory trade-offs

3) Outbound phase

high probability for sparse paths

Albena Hash Function Cryptanalysis I 45

Institute for Applied Information Processing and Communications (IAIK)

The Rebound Attack on Grøstl

P0 P1 P2 P3 P4 P5 P6 P7 P8

AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB

1 2−56 average 1 2−56 1 1

1) Construct optimal truncated differential path

by hand, well-known how to find right pairs?

2) Inbound phase

three rounds with average complexity 1 using SuperBox time-memory trade-offs

3) Outbound phase

high probability for sparse paths

⇒ find solutions with complexity 2112 and 264 memory

Albena Hash Function Cryptanalysis I 45

Institute for Applied Information Processing and Communications (IAIK)

Relatively Simple Analysis of Grøstl

AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB

Q0 P0 Q1 P1 Q2 P2 Q3 P3 IV M1 H1

256 average 1 28

Easy to construct truncated differential paths

• ptimal use of available freedom (message)

Results for Grøstl-256, Grøstl-512

hash function collisions for 3 rounds (of 10,14) compression function collisions for 6 rounds (of 10,14)

Albena Hash Function Cryptanalysis I 46

Institute for Applied Information Processing and Communications (IAIK)

Summary for Rebound Attack on Grøstl

Lots of cryptanalysis (mostly on Grøstl-0)

[MPRS09, Pey10, SLW+10, MRST09, MRST10, ITP10]

No multiple inbound phases possible No key-schedule input (no related-key attacks) Provable resistance against standard differential attacks Using (powerful) truncated differentials

still only 3 out of 10 rounds can be attacked

Albena Hash Function Cryptanalysis I 47

Institute for Applied Information Processing and Communications (IAIK)

Summary of Rebound Attacks

Basic principle not that difficult

efficient inbound phase probabilistic outbound phase

Difficulty in constructing and merging inbound phases

finding good and sparse truncated differential paths efficient way to use available freedom for merge

Albena Hash Function Cryptanalysis I 48

Institute for Applied Information Processing and Communications (IAIK)

Other Rebound Attacks

ECHO:

big state but rather sparse truncated differential paths

JH:

4-bit S-boxes, multiple inbound phases

Lane:

2x inbound for Lane-256, 3x inbound for LANE-512

Luffa:

4-bit S-boxes, find differential path first, then values

Skein:

rotational rebound attack

http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo Albena Hash Function Cryptanalysis I 49

Institute for Applied Information Processing and Communications (IAIK)

Outline

1

Motivation

2

Collision Attacks

3

Differential Cryptanalysis of Hash Functions Application to SHA-1

4

The Rebound Attack Application to Whirlpool Application to Grøstl

5

Conclusion

Albena Hash Function Cryptanalysis I 50

Institute for Applied Information Processing and Communications (IAIK)

More Freedom in Attacking Hash Functions

... than in attacks on block ciphers AES-based designs (Whirlpool Grøstl):

3 rounds in the middle with (average) complexity 1 1.5 rounds at the beginning

ARX-based designs (SHA-1):

up to 25 steps at the beginning with message modification

Albena Hash Function Cryptanalysis I 51

Institute for Applied Information Processing and Communications (IAIK)

Conclusion

Differential cryptanalysis

powerful tool in analyzing hash functions many hash functions broken using DC sparse (truncated) differential characteristics needed

AES based designs:

best truncated differential path can be used (with small modifications) rebound attack to find differences and values simultaneously

ARX based designs:

unknown if good characteristics exist (semi-)automatic tools needed (linear,nonlinear) still some work to do for ARX based SHA-3 finalists

Albena Hash Function Cryptanalysis I 52

Institute for Applied Information Processing and Communications (IAIK)

Thank you for your Attention! Questions?

Albena Hash Function Cryptanalysis I 53

Institute for Applied Information Processing and Communications (IAIK)

References I

[BC04] Eli Biham and Rafi Chen. Near-Collisions of SHA-0. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of LNCS, pages 290–305. Springer, 2004. [BR00] Paulo S. L. M. Barreto and Vincent Rijmen. The WHIRLPOOL Hashing Function. Submitted to NESSIE, September 2000, revised May 2003, 2000. Available online: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html. [DMR07] Christophe De Canni` ere, Florian Mendel, and Christian Rechberger. Collisions for 70-Step SHA-1: On the Full Cost of Collision Search. In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, Selected Areas in Cryptography, volume 4876 of LNCS, pages 56–73. Springer, 2007.

Albena Hash Function Cryptanalysis I 54

Institute for Applied Information Processing and Communications (IAIK)

References II

[DR06] Christophe De Canni` ere and Christian Rechberger. Finding SHA-1 Characteristics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 of LNCS, pages 1–20. Springer, 2006. [GKM+11] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen. Grøstl – a SHA-3 candidate. Submission to NIST (Round 3), January 2011. Available online: http://csrc.nist.gov/groups/ST/hash/sha-3/ Round3/submissions_rnd3.html. [ITP10] Kota Ideguchi, Elmar Tischhauser, and Bart Preneel. Improved Collision Attacks on the Reduced-Round Grøstl Hash Function. In Mike Burmester, Gene Tsudik, Spyros S. Magliveras, and Ivana Ilic, editors, ISC, volume 6531 of LNCS, pages 1–16. Springer, 2010.

Albena Hash Function Cryptanalysis I 55

Institute for Applied Information Processing and Communications (IAIK)

References III

[JF11] J´ er´ emy Jean and Pierre-Alain Fouque. Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function. In Fast Software Encryption, 2011. To appear. [JP07] Antoine Joux and Thomas Peyrin. Hash Functions and the (Amplified) Boomerang Attack. In Alfred Menezes, editor, CRYPTO, volume 4622 of LNCS, pages 244–263. Springer, 2007. [Kli06] Vlastimil Klima. Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105, 2006. http://eprint.iacr.org/.

Albena Hash Function Cryptanalysis I 56

Institute for Applied Information Processing and Communications (IAIK)

References IV

[KNPRS10] Dmitry Khovratovich, Mar´ ıa Naya-Plasencia, Andrea R¨

• ck, and Martin

Schl¨ affer. Cryptanalysis of Luffa v2 Components. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages 388–409. Springer, 2010. [LMR+09] Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schl¨ affer. Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages 126–143. Springer, 2009. [MNPN+09] Krystian Matusiewicz, Mar´ ıa Naya-Plasencia, Ivica Nikoli´ c, Yu Sasaki, and Martin Schl¨ affer. Rebound Attack on the Full Lane Compression Function. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages 106–125. Springer, 2009.

Albena Hash Function Cryptanalysis I 57

Institute for Applied Information Processing and Communications (IAIK)

References V

[MPRS09] Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schl¨ affer. Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages 16–35. Springer, 2009. [MRS09] Florian Mendel, Christian Rechberger, and Martin Schl¨ affer. Cryptanalysis of Twister. In Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and Damien Vergnaud, editors, ACNS, volume 5536 of LNCS, pages 342–353, 2009. [MRST09] Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages 260–276. Springer, 2009.

Albena Hash Function Cryptanalysis I 58

Institute for Applied Information Processing and Communications (IAIK)

References VI

[MRST10] Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen. Rebound Attacks on the Reduced Grøstl Hash Function. In Josef Pieprzyk, editor, CT-RSA, volume 5985 of LNCS, pages 350–365. Springer, 2010. [Pey10] Thomas Peyrin. Improved Differential Attacks for ECHO and Grøstl. In Tal Rabin, editor, CRYPTO, volume 6223 of LNCS, pages 370–392. Springer, 2010. [RO05] Vincent Rijmen and Elisabeth Oswald. Update on SHA-1. In Alfred Menezes, editor, CT-RSA, volume 3376 of LNCS, pages 58–71. Springer, 2005.

Albena Hash Function Cryptanalysis I 59

Institute for Applied Information Processing and Communications (IAIK)

References VII

[Sch10] Martin Schl¨ affer. Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages 369–387. Springer, 2010. [SKPI07] Makoto Sugita, Mitsuru Kawazoe, Ludovic Perret, and Hideki Imai. Algebraic Cryptanalysis of 58-Round SHA-1. In Alex Biryukov, editor, FSE, volume 4593 of LNCS, pages 349–365. Springer, 2007. [SLW+10] Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, and Kazuo Ohta. Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl. In Masayuki Abe, editor, ASIACRYPT, volume 6477 of LNCS, pages 38–55. Springer, 2010.

Albena Hash Function Cryptanalysis I 60

Institute for Applied Information Processing and Communications (IAIK)

References VIII

[WFW09] Shuang Wu, Dengguo Feng, and Wenling Wu. Cryptanalysis of the LANE Hash Function. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages 126–140. Springer, 2009. [WYY05] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In Victor Shoup, editor, CRYPTO, volume 3621 of LNCS, pages 17–36. Springer, 2005.

Albena Hash Function Cryptanalysis I 61