limited birthday distinguishers
play

Limited-Birthday Distinguishers for Hash Functions Collisions - PowerPoint PPT Presentation

Jan 26, 2023 •658 likes •877 views

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

  1. Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University, Singapore 3:NTT Secure Platform Laboratories, Japan Asiacrypt 2013 (5/Dec/2013@Bengaluru ) 1

  2. Research Summary • Prove the generic attack cost of the LBD – the known generic attack [GP10] is optimal. • LBD is useful – LBD for hash functions  breaking the dTCR notion. • Constructing LBD on hash functions – Converting semi-free-start collisions (on the comp. func.) even with complexity beyond 2 n /2 . • Find LBD for concrete designs – Some achieve the best attack for the hash setting: eg. RIPEMD128, Whirlpool 2

  3. Hash Functions • Hash Functions provide a fixed-size message fingerprint for arbitrary length message. • Merkle-Damgård Construction M 0 M 1 M 2 M N -1 CF CF CF CF IV Hash • Many schemes are proven to be secure by assuming the ideality of the underlying primitive.  Showing a non-ideality is important. 3

  4. Limited Birthday Distinguishers (LBD) • Recently, especially in the SHA-3 competition, many distinguishing attacks have been proposed. e.g. q -multi-coll., Rotational dist., subspace dist. • Limited-Birthday Distinguisher [GP10] finds paired values satisfying the set of pre-specified input diffs D IN and output diffs D OUT . ideal target D IN D OUT D IN D OUT CF CF compare What’s the cost? the costs 4

  5. Known Generic Attack for LBD [GP10] input output n = 128 I = | D IN | = 32 8 rounds O = | D OUT | = 32 AES • Previous method conjectured to be the best – Fix 2 n-I inactive input bits – Choose all 2 I active input bits and make all ( 2 2 I -1 ) pairs. – Repeat the above, by changing inactive input bits. 5

  6. Describing LBD with Bigraph • Classify 2 n input values into 2 n - I groups indexed by non-active n - I bits values. (Do the same for output.) • Represent each input/output group by a nodes • Represent the map from input to output by edges. Each input node can have 2 I edges in maximum. Up to 2 I edges from each node 1 query to obtain 1 edge 6

  7. Describing LBD with Bigraph • Achieving LBD is equivalent to find multiedges. • Valid pair : a pair of edges sharing the same input node. • If 2 n - O valid pairs are generated, multiedges will be found. Up to 2 I edges from each node 1 query to obtain 1 edge 7

  8. Describing LBD with Graph • How many valid pairs can be generated with X queries? • Suppose d i (1 ≤ i ≤ 2 𝑜−𝐽 ) is the number of edges coming from the input node i . • The number of valid pairs ( #V ) is: 2 #V = d 1 2 /2 + d 2 2 /2 + … + 𝑒 2 𝑜−𝐽 /2 • Constraint equations are: d 1 + d 2 + … + 𝑒 2 𝑜−𝐽 = X 2 I ≥ d 1 ≥ d 2 ≥ … ≥ 𝑒 2 𝑜−𝐽 ≥ 0 . (Descendent order) 8

  9. Proof Approach • Use the theory of majorization • Proof is available in the paper. • Interesting corollary: The proof can be extended to – limited-birthday multi-collisions – limited-birthday k -sums. 9

  10. LBD for Hash Functions • So far, LBD is mainly discussed only for a part of the hash function i.e. – underlying compression function – internal permutation • We discuss LBD for the hash function i.e. – Fixed initial value – D IN only exists in the input message before padding – D OUT is defined on the hash digest 10

  11. Applications of LBD for Hash Function • Target collision resistance is a security notion for hash function with tweak value T . Definition. ( Target Collision Resistance) The following attack must take 2 n cost. – The adversary chooses an input value I 1 . – T is chosen without a control of the adversary. – The adversary finds an input I 2 s.t. H ( I 1 ) = H ( I 2 ) . I 1 , I 2 H IV Hash T 11

  12. A New Security Notion dTCR Definition. ( differential Target Collision Resistance ) The following attack must take 2 n cost. – The adversary chooses an input difference D . – T is chosen without a control of the adversary. – The adversary finds an input I s.t. H ( I ) = H ( I ⊕ D ) . I , I ⊕ D H IV Hash T • A limited birthday distinguisher with | D IN | =1 and D OUT ={0} immediately breaks the dTCR notion. 12

  13. Converting Semi-Free-Start Collisions • Semi-free-start collisions (on CF ): ′ ′ Find (𝐼 𝑗−1 , 𝑁 𝑗−1 , 𝑁 𝑗−1 ) s.t. 𝐷𝐺 𝐼 𝑗−1 , 𝑁 𝑗−1 = 𝐷𝐺(𝐼 𝑗−1 , 𝑁 𝑗−1 ) D = D IN M i -1 CF D =0 D =0 H i -1 H i n n • In many cases, the input message difference D IN is fixed in advance. • This property is stronger than the collision attack with the birthday paradox. 13

  14. Converting Semi-Free-Start Collisions • 3-block LBD with Input difference (0|| D IN ||0) • Suppose the cost for semi-free-start coll is 2 x . D =0 D = D IN D =0 M 0 M 1 M 2 || pad CF CF CF H 0 H 1 H 2 H 3 n n n n n D =0 D =0 1. Generate 2 (𝑜−𝑦)/2 semi-free-start collisions. 2. Generate 2 (𝑜+𝑦)/2 random message blocks. 3. Collision is preserved for padding block. 14

  15. Converting Semi-Free-Start Collisions • 3-block LBD with Input difference (0|| D IN ||0) • Suppose the cost for semi-free-start coll is 2 x . D =0 D = D IN D =0 M 0 M 1 M 2 || pad CF CF CF H 0 H 1 H 2 H 3 n n n n n D =0 D =0 1. Generate 2 (𝑜−𝑦)/2 semi-free-start collisions. 2. Generate 2 (𝑜+𝑦)/2 random message blocks. 3. Collision is preserved for padding block. 15

  16. Converting Semi-Free-Start Collisions • 3-block LBD with Input difference (0|| D IN ||0) • Suppose the cost for semi-free-start coll is 2 x . D =0 D = D IN D =0 M 0 M 1 M 2 || pad CF CF CF H 0 H 1 H 2 H 3 n n n n n D =0 D =0 1. Generate 2 (𝑜−𝑦)/2 semi-free-start collisions. 2. Generate 2 (𝑜+𝑦)/2 random message blocks. 3. Collision is preserved for padding block. 16

  17. Remarks for Conversion Method • The attack complexity is 2 (𝑜+𝑦)/2+1 . Semi-free-start collisions with comp. beyond 2 n/2 can be a valid LBD. • Can be extended to (not too) wide-pipe, e.g. SHA224 • Be careful for the freedom degrees of the semi-free- start collision attack. Sometimes, generating 2 (𝑜−𝑦)/2 of them is impossible. • Can be extended to limited-birthday near-collisions ( D OUT can be other than {0}). – Differential path construction becomes easier. – Padding must be satisfied within the second block. 17

  18. Applications to Concrete Designs : best attack in the hash function setting 18

  19. Concluding Remarks • Prove the optimality of the generic attack for LBD. • LBD on hash functions can be used to attack the new security notion “differential - TCR”. • LBD on hash functions can be constructed from semi-free-start collisions even with complexity beyond 2 n /2 . • Apply the above conversion for several hash functions. Some achieved the best attack. Thank for your attention !! 19

  20. Concluding Remarks • Prove the optimality of the generic attack for LBD. • LBD on hash functions can be used to attack the new security notion “differential - TCR”. • LBD on hash functions can be constructed from semi-free-start collisions even with complexity beyond 2 n /2 . • Apply the above conversion for several hash functions. Some achieved the best attack. Thank for your attention !! 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multiple Limited-Birthday Distinguishers and Applications Jrmy Jean 1 Mara Naya-Plasencia 2

Multiple Limited-Birthday Distinguishers and Applications Jrmy Jean 1 Mara Naya-Plasencia 2

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Multiple Limited-Birthday Distinguishers and Applications Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas Peyrin 3 1 cole Normale Suprieure, France 2 SECRET

510 views • 23 slides
Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 , Abhishek Kumar 2 , Eran Lambooij 1 and Somitra Kumar Sanadhya 2 1 University of Haifa, Israel 2 IIT Ropar, India 1 / 7 ISO 3103 Figure: A broken tea cup

676 views • 12 slides
Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

367 views • 19 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016.

1.5k views • 74 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc }

449 views • 34 slides
Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

355 views • 24 slides
Happy Birthday Happy Birthday Nigel Nigel The c-map with S. Vandoren, C. Vafa; B. Pioline in

Happy Birthday Happy Birthday Nigel Nigel The c-map with S. Vandoren, C. Vafa; B. Pioline in

Happy Birthday Happy Birthday Nigel Nigel The c-map with S. Vandoren, C. Vafa; B. Pioline in progress. Background: B. de Wit, N. Hitchin, U. Lindstrm math.dg/0603048 What is it? What is a nice way to describe it? An example of how sigma

775 views • 39 slides
Its Our Birthday! Connecting with Constituents and Making the Most out of your Milestone

Its Our Birthday! Connecting with Constituents and Making the Most out of your Milestone

Its Our Birthday! Connecting with Constituents and Making the Most out of your Milestone Anniversary Dana Camacho, MS Director of Development American Academy of Periodontology Foundation Youre having a Birthday! Why leverage an

407 views • 29 slides
Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie Heuser, Sylvain Guilley, Olivier Rioul INSTITUT MINES-TLCOM Outline Motivation State of the art New metric: success metric (SM)

1.32k views • 25 slides
A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019 Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher

700 views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
History Calendars Activity Birthday Walk Materials: Birthday child! Months of the

History Calendars Activity Birthday Walk Materials: Birthday child! Months of the

History Calendars Activity Birthday Walk Materials: Birthday child! Months of the year Tray Small candle in votive glass holder (or yellow ball on top of votive glass holder) Teacher keep lighter in her pocket with safety on at

143 views • 3 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
The Birthday Paradox Marco Cattaneo Department of Mathematics University of Hull Open Day 10

The Birthday Paradox Marco Cattaneo Department of Mathematics University of Hull Open Day 10

The Birthday Paradox Marco Cattaneo Department of Mathematics University of Hull Open Day 10 October 2015 birthday paradox how many people do we need in this room to have more than 50 % probability that someone else has the same birthday

475 views • 45 slides
Trends, Models, and Strategies in Community Foundation Fundraising Kathryn W. Miree &

Trends, Models, and Strategies in Community Foundation Fundraising Kathryn W. Miree &

AdNet Conference 2014 Trends, Models, and Strategies in Community Foundation Fundraising Kathryn W. Miree & Associates, Inc. Trends, Models, and Strategies in Community Foundation Fundraising Successful community foundation fundraising

685 views • 47 slides
Certainty Factor certainty factor CF (is the certainty factor in the hypothesis H due to

Certainty Factor certainty factor CF (is the certainty factor in the hypothesis H due to

Certainty Factor certainty factor CF (is the certainty factor in the hypothesis H due to evidence E) ranges between -1 (denial of the hypothesis H) and +1 (confirmation of H) allows the ranking of hypotheses difference between

280 views • 5 slides
Self-collected HPV Testing Improves Participation in Cervical Cancer Screening: Systematic Review

Self-collected HPV Testing Improves Participation in Cervical Cancer Screening: Systematic Review

Self-collected HPV Testing Improves Participation in Cervical Cancer Screening: Systematic Review and Meta-analysis C . S A R A I R A C E Y P H D S T U D E N T D A L L A L A N A S C H O O L O F P U B L I C H E A LT H U N I V E R S I T

314 views • 14 slides
What t is is Clin linic ical Navi vigatio ion In Insured (C (CNI) I)? A se servic

What t is is Clin linic ical Navi vigatio ion In Insured (C (CNI) I)? A se servic

What t is is Clin linic ical Navi vigatio ion In Insured (C (CNI) I)? A se servic ice provid vided d under r the Ill llinois inois Breast st and Cervic ical al Cancer r Progr gram. am. Cli linica ical l Navig igat

541 views • 9 slides
Efficient Parsing for Bilexical CF Grammars Head Automaton Grammars Jason Eisner Giorgio

Efficient Parsing for Bilexical CF Grammars Head Automaton Grammars Jason Eisner Giorgio

Efficient Parsing for Bilexical CF Grammars Head Automaton Grammars Jason Eisner Giorgio Satta U. of Pennsylvania U. of Padova, Italy U. of Rochester The speaker notes in this Powerpoint file may be helpful to the reader: theyre

909 views • 28 slides
r r rs rt

r r rs rt

r r rs r r r r r r r rs

460 views • 17 slides
Quickest Sorted binary trees are an efficient data structure Quickest for maintaining sorted

Quickest Sorted binary trees are an efficient data structure Quickest for maintaining sorted

One-Slide Summary Guest Lecture Insert-sort is ( n 2 ) worst case (reverse list), but is by Kinga Dobolyi ( n ) best case (sorted list). A recursive function that divides its input in half each time is often in (log n ). If

565 views • 8 slides
1 Case Study: Orange Labs & Cloud Foundry Guillaume Berche Intro About Orange

1 Case Study: Orange Labs & Cloud Foundry Guillaume Berche Intro About Orange

1 Case Study: Orange Labs & Cloud Foundry Guillaume Berche Intro About Orange Disclaimer About ElPaaso Contact me: @gberche or guillaume.berche [at] orange.com Grenoble, France El Paso, Texas, USA ? 3 Session

676 views • 33 slides

More recommend