SLIDE 1
Free-start preimages of round-reduced Blake compression function - - PowerPoint PPT Presentation
Free-start preimages of round-reduced Blake compression function - - PowerPoint PPT Presentation
On behavior of Professors Ohta and Sakiyama. Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo Sakiyama The University of Electro-Communications, Japan Blake A candidate in second round for
SLIDE 2
SLIDE 3
Specification of Black compression function
Random starting value (free-start)
SLIDE 4
What Black compression function becomes?
Round functions
…
Finalization
SLIDE 5
Attack scenario …
Finalization Random fixed value.
SLIDE 6
Attack scenario …
Finalization
Independent chunks
SLIDE 7
Attack scenario …
Finalization Any pair of a hash chaining value and an internal state can contribute to one output value. If each independent chunk has t-bit freedom, we obtain 22t output values, where the complexity is 2t Blake compression function
- computation. Therefore, the complexity of finding a
preimage will be reduced by a factor of 2t.
SLIDE 8
column column column column
m6 m4
Diagonal Diagonal Diagonal Diagonal
Attack details on 4-round Blake
SLIDE 9
column column column column
m6 m4
Diagonal Diagonal Diagonal Diagonal
Attack details on 4-round Blake
By fixing some bits, the attack can be extended to 4.5 rounds.
SLIDE 10
Conclusion
Applicable to all elements of (round-reduced) Blake-family. Here pick Blake-32 as an example, which has 10 rounds. #round complexity memory technique 4 2224 232
Splice-and-cut Partial-matching
4.5 2252 28
Splice-and-cut Partial-matching Partial-fixing Splice-and-cut Partial-matching Partial-fixing Initial-structure New technique
SLIDE 11