improved rebound attack on the finalist gr stl
play

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara - PowerPoint PPT Presentation

Jan 21, 2023 •521 likes •1.24k views

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas Peyrin 3 1 cole Normale Suprieure, France 2 University of Versailles, France 3 Nanyang Technological University, Singapore FSE2012 March 19,

  1. Improved Rebound Attack on the Finalist Grøstl Jérémy Jean 1 María Naya-Plasencia 2 Thomas Peyrin 3 1 École Normale Supérieure, France 2 University of Versailles, France 3 Nanyang Technological University, Singapore FSE’2012 – March 19, 2012

  2. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 SHA-3 Competition Finalists In December 2010, the NIST chose the 5 finalists of the ◮ SHA-3 competition: • BLAKE • Grøstl • JH • Keccak • Skein This year, the winner will be chosen. ◮ FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 2/27

  3. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Grøstl : Compression Function (CF) Grøstl-v0 [Knudsen et al. 08] has been tweaked for the final: Grøstl-256 : | h | = | m | =512 bits. ◮ Grøstl-512 : | h | = | m | =1024 bits. ◮ P h ′ h m Q FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/27

  4. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Grøstl : Internal Permutations Permutations P and Q apply the wide-trail strategy from the AES . Grøstl-256 : 10 rounds on state a 8 × 8. ◮ Grøstl-512 : 14 rounds on state a 8 × 16. ◮ AddRoundConstant SubBytes ShiftBytes MixBytes Tweak: constants in ARK and Sh changed to introduce asymmetry between P and Q FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 4/27

  5. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Grøstl : Finalization Round Once all blocks of message have been treated: truncation. h i − 1 P h FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 5/27

  6. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Grøstl : Best Analysis After the Tweak Grøstl-256 : ◮ • [Sasaki et al A10]: 8-round permutation distinguisher. • [Gilbert et al. FSE10]: 8-round CF distinguisher. • [Boura et al. FSE11]: 10-round zero-sum. Grøstl-512 ◮ [Schläffer 2011]: 6-round collision on the CF. • FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 6/27

  7. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Our New Results 1/2 Based on the rebound technique [Mendel et al. FSE09]. ◮ Based on a way of finding solutions for three consecutive full ◮ active rounds: new. They apply both to 256 and 512 versions. ◮ FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 7/27

  8. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Our New Results 2/2 On Grøstl-256 , we provide distinguishers for 9 rounds of ◮ the permutation (total: 10). On Grøstl-512 , we provide distinguishers for 8, 9 and ◮ 10 rounds of the permutation (total: 14). FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 8/27

  9. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 9/27

  10. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB Outbound Inbound Outbound FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 9/27

  11. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 SuperSBox Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SuperSBox = SB ◦ MC ◦ SB FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 10/27

  12. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Grøstl-256 Permutation FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/27

  13. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Differential Characteristic for 9 rounds Mb Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SB FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 12/27

  14. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S5 S3 S4 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/27

  15. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S5 S3 S4 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/27

  16. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S5 S3 S4 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/27

  17. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S5 S3 S4 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/27

  18. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Inbound for 3 Full-Active Rounds: Analysis Counting 8 forward SuperSBox sets of 2 64 values and differences � 8 backward SuperSBox sets of 2 64 values and differences � Overlapping on 512 bits of values + 512 bits of differences Number of Solutions Expected 2 8 × 64 2 8 × 64 2 − 512 − 512 = 2 512 + 512 − 512 − 512 = 1 Limited Birthday Our Algorithm 2 384 operations 2 256 operations, memory 2 64 FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 14/27

  19. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Solving the 3 Active Rounds: Context The 8 forward L i overlaps the 8 backwards L ′ i like this: L 1 L 2 L 3 L 4 L 5 L 6 L 7 L 8 L ′ 1 L ′ 2 L ′ 3 L ′ 4 L ′ 5 L ′ 6 L ′ 7 L ′ 8 FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 15/27

  20. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Solving the 3 Active Rounds: Step 1 We start by choosing one element in each of the four first L ′ i . L 8 L ′ 1 L ′ 2 L ′ 3 L ′ 4 FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/27

  21. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Solving the 3 Active Rounds: Step 2 This determines a single element in each L i . L 1 L 2 L 3 L 4 L 5 L 6 L 7 L 8 � � � � � � � � L ′ 1 FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 17/27

  22. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Solving the 3 Active Rounds: Step 3 Each determined element in the remaining L ′ i exists with p = 2 − 8 × 8 . L 8 L ′ 5 L ′ 6 L ′ 7 L ′ 8 FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 18/27

  23. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Summing Up Inbound Phase In total we try 2 256 combinations of ( L ′ 1 , L ′ 2 , L ′ 3 , L ′ 4 ) and each gives a solution with probability: 2 − 4 × 8 × 8 = 2 − 256 . Outbound Phase Probability 2 − 2 × 56 to pass two 8 → 1 transitions in the MixBytes. Distinguisher We distinguish the 9-round permutation in 2 256 + 112 = 2 367 operations and 2 64 in memory. Note: This compares to a generic complexity of 2 384 operations. FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 19/27

  24. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Grøstl-512 Permutation FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 20/27

  25. Grøstl & SHA-3 Cryptanalysis Techniques Conclusion Grøstl-256 Grøstl-512 Differential Characteristic for 10 rounds Mb Mb Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SB SB FSE’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 21/27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

783 views • 46 slides
Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

945 views • 51 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied

556 views • 23 slides
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

562 views • 35 slides
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

1.01k views • 72 slides
Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa Anas Tschichold Go Goal: No Rebound! after an efficiency improvement to produce one unit, price will not decrease and therefore demand will

786 views • 39 slides
How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1 Problem 2 4 Results

543 views • 27 slides
The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys recovery, providing an analysis of recent OpenTable booking data and the latest news out of the sector. Future issues will also include first-hand

48 views • 3 slides
Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse gas abatement potential for Switzerland in 2025 Hilty, University of Zurich Research Report, 2017 2 Historical Perspective The Rebound Effect How

746 views • 41 slides
Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Py SPP attack Improving on the attack Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py SPP attack Improving on the attack Py eSTREAM entrant by Eli Biham and Jennifer Seberry Fast in

870 views • 38 slides
URI Use and Abuse New and Improved with Mac Pwnage and Mobile Attack Vectors!!! Contributing

URI Use and Abuse New and Improved with Mac Pwnage and Mobile Attack Vectors!!! Contributing

URI Use and Abuse New and Improved with Mac Pwnage and Mobile Attack Vectors!!! Contributing Authors Nathan McFeters Senior Security Analyst Ernst & Young Advanced Security Center, Chicago Billy Kim Rios Senior

841 views • 51 slides
PMF Class of 2021 Finalist Informational Webinar Welcome! Again, congratulations on your

PMF Class of 2021 Finalist Informational Webinar Welcome! Again, congratulations on your

PMF Class of 2021 Finalist Informational Webinar Welcome! Again, congratulations on your selection as a Finalist for the PMF Class of 2021! This webinar is scheduled for Wednesday, December 2, 2020, from 3:00-5:00pm (ET), and Friday, December 4,

371 views • 36 slides
PMF Class of 2020 Finalist Informational Webinar Welcome! Again, congratulations on your

PMF Class of 2020 Finalist Informational Webinar Welcome! Again, congratulations on your

PMF Class of 2020 Finalist Informational Webinar Welcome! Again, congratulations on your selection as a Finalist for the PMF Class of 2020! This webinar is scheduled for Wednesday, December 4, 2019, from 2:00-4:00pm (ET), and Friday, December 6,

467 views • 27 slides
DESIGN EMPHASIS 2018 FINALISTS Design Emphasis 2018 Finalist Honorable Mention Commercial

DESIGN EMPHASIS 2018 FINALISTS Design Emphasis 2018 Finalist Honorable Mention Commercial

DESIGN EMPHASIS 2018 FINALISTS Design Emphasis 2018 Finalist Honorable Mention Commercial Furniture Mattie Hinkley Design Emphasis 2018 Finalist Merit Commercial Furniture Nicholas Iacobucci Design Emphasis 2018 Finalist Winner

389 views • 14 slides
REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference, Vienna, September 3-6, 2017 Mona Chitnis (University of Surrey) Roger Fouquet (LSE) Steve Sorrell (University of Sussex) Outline Rebound

300 views • 17 slides
1 in 17 are Asian 1 in 7 are Asian 5.8% 15% Japanese Korean Vietnamese 1 10/10/2017 Contra

1 in 17 are Asian 1 in 7 are Asian 5.8% 15% Japanese Korean Vietnamese 1 10/10/2017 Contra

10/10/2017 58YEAROLD ASIAN MALE WITH SHORTNESS OF BREATH Asian American Health Learning from Diversity Asian = ? What is in your differential? Latha Palaniappan, MD, MS Disease pattern differences?

666 views • 11 slides
FacsXpert July 8 , 2 0 0 4 7 th I nternational Protg Conference Builds protocols for

FacsXpert July 8 , 2 0 0 4 7 th I nternational Protg Conference Builds protocols for

FacsXpert July 8 , 2 0 0 4 7 th I nternational Protg Conference Builds protocols for studies w ith FACS instrum ents Uses a m odified Protg-based architecture that prom otes runtim e extensibility for the end-user FacsXpert

478 views • 35 slides
Beverley Straker-Bennett POCT Lead ADAS Blackpool Teaching Hospitals. Current Liquid

Beverley Straker-Bennett POCT Lead ADAS Blackpool Teaching Hospitals. Current Liquid

Beverley Straker-Bennett POCT Lead ADAS Blackpool Teaching Hospitals. Current Liquid Thromboplast Reagent discontinued by supplier Desire to improve the quality and reproducibility of the INR results by reducing the complexity the

432 views • 14 slides
Slide 1 / 38 1 A burning splint will burn more vigorously in pure oxygen than in air because

Slide 1 / 38 1 A burning splint will burn more vigorously in pure oxygen than in air because

Slide 1 / 38 1 A burning splint will burn more vigorously in pure oxygen than in air because oxygen is a reactant in combustion and A concentration of oxygen is higher in pure oxygen than is in air. B oxygen is a catalyst for combustion. C

1.01k views • 13 slides
Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Introduction Results ECHO Grstl Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas Peyrin CRYPTO 2010 Santa Barbara - November 19, 2010 Introduction Results ECHO Grstl Outline

382 views • 23 slides
Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect Moti tivati tion n we e need eed t to halve e our emi emissions ea each dec ecade Image scource: (Rockstrm et al. 2017): A roadmap

737 views • 25 slides
Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine Stefan Ambec Ecole dEconomie de Toulouse (INRA-LERNA-IDEI) Auteur Main Point Impact of energy policy (tax): Engineering approach:

174 views • 4 slides
Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott

Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott

Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott APTIM Rachael Rezez APTIM Graig Lavorgna - APTIM Dr. Michael Annable UFL Erin White UFL DNAPL Architecture, Dissolution, and Treatment

460 views • 25 slides

More recommend