new collision attacks on round reduced keccak
play

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 - PowerPoint PPT Presentation

Jun 06, 2023 •166 likes •530 views

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

  1. New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, China 2 Nanyang Technological University, Singapore 3 Data Assurance and Communication Research Center, Chinese Academy of Sciences, China 4 University of Chinese Academy of Sciences, China Paris, France Eurocrypt 2017 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 1 / 27

  2. Outlines Introduction 1 Overview of Collision Attack 2 Search for Differential Trails 3 Results 4 Future work 5 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 2 / 27

  3. Introduction Outline Introduction 1 Description of Keccak Previous Work and Our Contribution Main Idea Overview of Collision Attack 2 Search for Differential Trails 3 Results 4 Future work 5 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 3 / 27

  4. Introduction Description of Keccak SHA-3 Hash Function Structure of Keccak –Sponge construction http://keccak.noekeon.org/ Keccak - f permutation 1600 bits: a 5 × 5 array of 64-bit lanes 24 round R each round consists of five steps: R = ι ◦ χ ◦ π ◦ ρ ◦ θ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 3 / 27

  5. Introduction Description of Keccak SHA-3 Hash Function Keccak - f permutation: the internal state http://www.iacr.org/authors/tikz/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 4 / 27

  6. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ θ step: adding two columns to current bit http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 5 / 27

  7. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ρ step: lane level rotations http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 6 / 27

  8. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ π step: permutation on lanes http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 7 / 27

  9. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ χ step: the only nonlinear operation http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 8 / 27

  10. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ι step: adding constant Adding one round-dependent constant to the first ”lane”, to destroy the symmetry, usually irrelevant with cryptanalysis details. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 9 / 27

  11. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation Internal state A: a 5 × 5 array of 64-bit lanes θ step C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ step A [ x , y ] = a [ x , y ] ≪ r [ x , y ] - The constants r [ x , y ] are the rotation offsets. π step B [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] χ step A [ x , y ] = B [ x , y ] ⊕ (( B [ x + 1 , y ])& B [ x + 2 , y ]) ι step A [ 0 , 0 ] = A [ 0 , 0 ] ⊕ RC - RC [ i ] are the round constants. The only non-linear operation is χ step. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 10 / 27

  12. Introduction Previous Work and Our Contribution Previous Work and Our Contribution Collision attacks on round-reduced Keccak Practical Results: 3-round Keccak -384 (Dinur et al., FSE2013) 3-round Keccak -512 (Dinur et al., FSE2013) 4-round Keccak -224 (Dinur et al., FSE2012) 4-round Keccak -256 (Dinur et al., FSE2012) Theoretical results: 4-round Keccak -384: 2 147 (Dinur et al., FSE2013) 5-round Keccak -256: 2 115 (Dinur et al., FSE2013) K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 11 / 27

  13. Introduction Previous Work and Our Contribution Previous Work and Our Contribution Collision attacks on round-reduced Keccak Practical Results: 3-round Keccak -384 (Dinur et al., FSE2013) 3-round Keccak -512 (Dinur et al., FSE2013) 4-round Keccak -224 (Dinur et al., FSE2012) 4-round Keccak -256 (Dinur et al., FSE2012) 5-round SHAKE128 – a member in SHA-3 (This) 5-round Keccak [ r = 1440 , c = 160 , d = 160 ] (This) 5-round Keccak [ r = 640 , c = 160 , d = 160 ] (This) Theoretical results: 4-round Keccak -384: 2 147 (Dinur et al., FSE2013) 5-round Keccak -256: 2 115 (Dinur et al., FSE2013) 5-round Keccak -224: 2 101 (This) 6-round Keccak [ r = 1440 , c = 160 , d = 160 ] : 2 70 . 24 (This) K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 11 / 27

  14. Introduction Main Idea Main Idea An extended algebraic and differential hybrid method: S-box linearization in affine subspaces 1 A dedicated strategy for searching differential trails 2 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 12 / 27

  15. Overview of Collision Attack Outline Introduction 1 Overview of Collision Attack 2 Overview of 5-round collision attack S-box linearization and affine subspaces A connector covering two rounds Search for Differential Trails 3 Results 4 Future work 5 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 13 / 27

  16. Overview of Collision Attack Overview of 5-round collision attack Overview of 5-round collision attack ∆ S I ∆ S O d r c diff diff 3-round differential value value 2-round connector 3-round differential: ∆ S I → ∆ S O 2-round connector: linking ∆ S I with the initial value by linear systems Find ( M , M ′ ) s s.t. ( R i : i iterations of R ) R 2 ( M || 0 c ) + R 2 ( M ′ || 0 c ) = ∆ S I , E ∆ – solution is the difference of two messages E M – solution space is the message/searching space K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 13 / 27

  17. Overview of Collision Attack Overview of 5-round collision attack Property of Keccak S-box Given ( δ in , δ out ) , V = { x : S ( x ) + S ( x + δ in ) = δ out } an affine 1 subspace. Given δ out , { δ in : DDT ( δ in , δ out ) > 0 } contains at least five 2 2-dimensional affine subspaces. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 14 / 27

  18. Overview of Collision Attack Overview of 5-round collision attack 1-round connector α 1 (∆ S I ) α 0 β 0 χ L Dinur et al. ’s target difference algorithm: find ( M , M ′ ) s s.t. R 1 ( M || 0 c ) + R 1 ( M ′ || 0 c ) = ∆ S I Difference phase : find exact input difference β 0 to the χ layer For each active S-box, choose an affine subspace with 4 potential input differences A more flexible approach Value phase : obtain the actual message pairs that lead to the target difference ∆ S I - Given β 0 , the value phase reduces to solving linear equations. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 15 / 27

  19. Overview of Collision Attack Overview of 5-round collision attack Extension the 1-round connector to 2-round 1-round connector 2-round connector α 1 (∆ S I ) α 2 (∆ S I ) α 0 β 0 α 0 β 0 α 1 β 1 ? −→ χ χ χ L L L K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 16 / 27

  20. Overview of Collision Attack S-box linearization and affine subspaces S-box linearization Definition (Linearizable affine subspace, LAS) Linearizable affine subspaces are affine input subspaces on which S-box substitution is equivalent to a linear transformation. If V is a linearizable affine subspace of an S-box operation S ( · ) , ∀ x ∈ V , S ( x ) = A · x + b , where A is a matrix and b is a constant vector. Example (Linearizable affine subspace) V = { 00000 , 00001 , 00100 , 00101 } , S ( V ) = { 00000 , 01001 , 00101 , 01100 } , S-box is equivalent to linear transformation  1 0 1 0 0        0 1 0 0 0           y =  0 0 1 0 0  · x .           1 0 0 1 0           0 0 0 0 1   K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 17 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav Nad 2 , Martin Schl affer 2 Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria FSE 2012

650 views • 34 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
Surfing: Iterative Optimization Over Incrementally Trained Deep Networks Ganlin Song, Zhou Fan,

Surfing: Iterative Optimization Over Incrementally Trained Deep Networks Ganlin Song, Zhou Fan,

Surfing: Iterative Optimization Over Incrementally Trained Deep Networks Ganlin Song, Zhou Fan, John Lafferty Department of Statistics and Data Science Yale University Ganlin Song, Zhou Fan, John Lafferty Surfing: Iterative Optimization Over

101 views • 8 slides
3DMatch Learning Local Geometric Descriptors from RGB-D Reconstructions Andy Zeng, Shuran Song,

3DMatch Learning Local Geometric Descriptors from RGB-D Reconstructions Andy Zeng, Shuran Song,

3DMatch Learning Local Geometric Descriptors from RGB-D Reconstructions Andy Zeng, Shuran Song, Matthias Niener, Matthew Fisher, Jianxiong Xiao, Thomas Funkhouser Matching Features in 3D Data with Local 3D Descriptors match descriptor

349 views • 19 slides
In my longing, in my waiting will Your presence be enough? When Im fearful, when Im doubting

In my longing, in my waiting will Your presence be enough? When Im fearful, when Im doubting

In my longing, in my waiting will Your presence be enough? When Im fearful, when Im doubting will I have the strength to trust? All Things Together By Aaron Williams, Ashley Huenefeld CCLI #1947111 Youre the First, Youre the

545 views • 54 slides
COMPREHENSION Minjoon Seo, Aniruddha Kembhavi, Ali Farhadi, Hannaneh Hajishirzi Presenter: Wenda

COMPREHENSION Minjoon Seo, Aniruddha Kembhavi, Ali Farhadi, Hannaneh Hajishirzi Presenter: Wenda

BI-DIRECTIONAL ATTENTION FLOW FOR MACHINE COMPREHENSION Minjoon Seo, Aniruddha Kembhavi, Ali Farhadi, Hannaneh Hajishirzi Presenter: Wenda Qiu 04/01/2020 Machine Comprehension Question Answering: Answer a query about a given context

655 views • 61 slides
Classification How to predict a discrete variable? Based on Parishit Rams slides. Pari now at

Classification How to predict a discrete variable? Based on Parishit Rams slides. Pari now at

CSE 6242 / CX 4242 Classification How to predict a discrete variable? Based on Parishit Rams slides. Pari now at SkyTree. Graduated from PhD from GT. Also based on Alex Grays slides. Songs Label Some nights Skyfall Comfortably numb

558 views • 43 slides
Song of Songs Song of Solomon Proverbs 30:18-19 (NIV) There are three things that are too

Song of Songs Song of Solomon Proverbs 30:18-19 (NIV) There are three things that are too

Song of Songs Song of Solomon Proverbs 30:18-19 (NIV) There are three things that are too amazing for me, four that I do not understand: 19 the way of an eagle in the sky, the way of a snake on a rock, the way of a ship on the high seas,

393 views • 21 slides
Software Requirements Requirements engineering Domain modeling Problem scoping /

Software Requirements Requirements engineering Domain modeling Problem scoping /

Outline Starting point Software Requirements Requirements engineering Domain modeling Problem scoping / decomposition Requirements types Eunjee Song Functional / Non-functional Computer Science Department FURPS+

178 views • 4 slides
Audio Cover Song Identification: Beyond The Notes Chris Tralie Duke University ECE / Math

Audio Cover Song Identification: Beyond The Notes Chris Tralie Duke University ECE / Math

Audio Cover Song Identification: Beyond The Notes Chris Tralie Duke University ECE / Math Johns Hopkins CBME Ursinus College Math/CS (Fall 2019) 2/9/2018 Chris Tralie Audio Cover Song Identification: Beyond The Notes Just Use Shazam! (?)

442 views • 21 slides

More recommend