practical near collisions and collisions on reduced round
play

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 - PowerPoint PPT Presentation

Feb 01, 2023 •127 likes •562 views

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

  1. Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jérémy Jean and Pierre-Alain Fouque Ecole Normale Supérieure FSE’2011 February 14, 2011 FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 1/19

  2. Outline Attack Conclusion ECHO-256 Outline Outline of the talk Outline Previous cryptanalysis Description of ECHO-256 Collision attack on 4-round ECHO-256 Rebound attacks and improvements FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 2/19

  3. Outline Attack Conclusion ECHO-256 Cryptanalysis Previous cryptanalysis of ECHO-256 Hash function Rounds Time Memory Type Reference 2 112 2 85 . 3 5/8 collision [Schläffer-eprint10] Compression function Rounds Time Memory Type Reference 2 64 2 32 3/8 free-start collision [Peyrin-C10] 2 96 2 32 3/8 semi-free-start collision [Peyrin-C10] 2 96 2 32 4.5/8 distinguisher [Peyrin-C10] 2 36 2 16 4/8 distinguisher new 2 52 2 16 4/8 semi-free-start collision new 2 160 2 128 6/8 collision, chosen salt [Schläffer-eprint10] 2 160 2 128 7/8 distinguisher, chosen salt [Schläffer-eprint10] Permutation Rounds Time Memory Type Reference 2 182 2 37 8/8 distinguisher [SLWSO-A10] 2 151 2 67 8/8 distinguisher [NayaPlasencia-eprint10] FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 3/19

  4. Outline Attack Conclusion ECHO-256 Description of ECHO-256 Description of the hash function ECHO-256 Merkle-Damgård construction HAIFA design (counter & salt) 2048-bit internal state as a 4 × 4 matrix of AES states 8-round AES-based permutation : BSB, BSR, BMC Output transformation : compress and truncate 2 rounds AES AES MixColumns 0 0 1 1 BSB BSR BMC 2 2 3 3 FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 4/19

  5. Outline Attack Conclusion ECHO-256 Description of ECHO-256 Alternative view Breaking down to the AES-state level of operations SuperSBox = SB – MC – SB [LMRRS-A09, GP-FSE10] SuperMixColumns = MC – BMC [Schläffer-SAC10] BSB BSR BMC FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 5/19

  6. Outline Attack Conclusion ECHO-256 Description of ECHO-256 Alternative view Breaking down to the AES-state level of operations SuperSBox = SB – MC – SB [LMRRS-A09, GP-FSE10] SuperMixColumns = MC – BMC [Schläffer-SAC10] BSB BSR BMC SB SR MC SB SR MC BSR BMC 1 round of AES 1 round of AES FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 5/19

  7. Outline Attack Conclusion ECHO-256 Description of ECHO-256 Alternative view Breaking down to the AES-state level of operations SuperSBox = SB – MC – SB [LMRRS-A09, GP-FSE10] SuperMixColumns = MC – BMC [Schläffer-SAC10] BSB BSR BMC SB SR MC SB SR MC BSR BMC SR SB MC SB SR BSR MC BMC SuperSBox SuperMixColumns FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 5/19

  8. Outline Attack Conclusion ECHO-256 Description of ECHO-256 SuperSBox Description Super transformation used in [LMRRS-A09, GP-FSE10] SuperSBox = SB – MC – SB Works on 32-bit AES-columns P (∆ IN → ∆ OUT exists ) ≈ 1 / 2 SuperSBox SB MC SB ∆ IN ∆ OUT FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 6/19

  9. Outline Attack Conclusion ECHO-256 Description of ECHO-256 MixColumns and BigMixColumns 4 parallel applications of MixColumns/BigMixColumns MixColumns BigMixColumns MC MC MC MC MC MC MC MC MC : AES MixColumns FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 7/19

  10. Outline Attack Conclusion ECHO-256 Description of ECHO-256 SuperMixColumns 16 × 16 matrix of SMC Super transformation introduced in [Schläffer-SAC10] Works on 16 × 1 byte-slices M SMC = M ⊗ M ( M from MixColumns ) Branch number = 8 (optimal : 17) p = 2 − 24 Sparse paths : 4 → 16 → 4, SuperMixColumns MC BMC one slice ♣ FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 8/19

  11. Outline Attack Conclusion ECHO-256 Description of ECHO-256 SuperMixColumns Restriction Sparse paths = ⇒ one-dimensional subsets of kernels Span ( v ) ⊂ ker ( M SMC | 4 ,..., 15 ) M SMC = M SMC | 4 ,..., 15 0 v = [ 14 0 0 0 9 0 0 0 13 0 0 0 11 0 0 0 ] T λ v SuperMixColumns MC BMC one slice ♣ FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 8/19

  12. Outline Attack Conclusion ECHO-256 Rebound Technique Rebound technique For a given truncated differential path Set differences and values around a non-linear layer using its differential properties with amortized complexity one NL = AES SBox or SuperSBox Differences Differences L NL L Diff. prop. Values Values FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 9/19

  13. Outline Attack Conclusion ECHO-256 Overview Path for the 4-round collision attack S0 S1 S2 S3 S4 S5 S6 S7 S8 SR SB MC SB SR BSR MC BMC S8 S9 S10 S11 S12 S13 S14 S15 S16 SR SB MC SB SR BSR MC BMC S16 S17 S18 S19 S20 S21 S22 S23 S24 SR SB MC SB SR BSR MC BMC S24 S25 S26 S27 S28 S29 S30 S31 S32 SR SB MC SB SR BSR MC BMC ⊕ S33 S34 BF FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 10/19

  14. Outline Attack Conclusion ECHO-256 Overview Finding a valid pair Path Path from [Schläffer-SAC10] Modified in the first round Overview Differential attack Two subparts solved sequentially One merging step FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 11/19

  15. Outline Attack Conclusion ECHO-256 Overview Finding a valid pair Path Path from [Schläffer-SAC10] Modified in the first round Overview Differential attack Two subparts solved sequentially One merging step FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 11/19

  16. Outline Attack Conclusion ECHO-256 Overview Merging the two subparts Goal : find values for white bytes. Known : red bytes (1st subpart), blue bytes (2nd subpart) SuperMixColumns FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 12/19

  17. Outline Attack Conclusion ECHO-256 Overview Merging the two subparts Goal : find values for white bytes. Known : red bytes (1st subpart), blue bytes (2nd subpart) SuperMixColumns Problem Fails w.h.p in [Schläffer-SAC10] Cause : system without solution FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 12/19

  18. Outline Attack Conclusion ECHO-256 Overview Merging the two subparts Goal : find values for white bytes. Known : red bytes (1st subpart), blue bytes (2nd subpart) a 0 b 0 b 1 b 2 b 3 a 1 SuperMixColumns a 2 a 3 Problem Correction Fails w.h.p in [Schläffer-SAC10] Merge still possible... Cause : system without solution ...but 128-bit constraint slice # 0 : 2 a 0 + 3 a 1 + a 2 + a 3 = 14 b 0 + 11 b 1 + 13 b 2 + 9 b 3 meet-in-the-middle condition FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 12/19

  19. Outline Attack Conclusion ECHO-256 Overview How to solve the merge problem Steps of the attack 1 Solve first column of Round 2 � 2 Fix differences for a valid path through SMC � 3 Input Differences = ⇒ Values for Rounds 3 & 4 � 4 Deduce three last columns � 5 Values for Round 1 = ⇒ Collision � � First subpart � Second subpart Round 1 Round 2 Round 3 Round 4 Start Here FSE’2011 – Jérémy Jean and Pierre-Alain Fouque Ecole Normale Superieure Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function 13/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven, Belgium Fast Software Encryption 2009 Sebastiaan Indesteege (COSIC) Practical Collisions for EnRUPT 1/27 Outline 1 Introduction 2 Description of

704 views • 69 slides
Theory and simulations for weakly chaotic systems: round off and irreversibility, collisions and

Theory and simulations for weakly chaotic systems: round off and irreversibility, collisions and

Theory and simulations for weakly chaotic systems: round off and irreversibility, collisions and relaxation Symposium MECCANICA. Bologna 27-30 august gioved 28 agosto ore 15-15.50 To Sandro Graffi for his 65 birthday Giorgio Turchetti

677 views • 40 slides
Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion collision? Focus on collective phenomena present in nucleus-nucleus collisions, but absent in pp collisions (condensed matter physics of

879 views • 23 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re- measures C+C collisions 2003 N+N and pi-N collisions in HADES Phys. Lett B 750, 12 (2015) What have we learnt from inclusive spectra p p X e+

505 views • 24 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Practical Near-Collisions on the Compression Function of BMW Gatan Leurent and Sren S.

Practical Near-Collisions on the Compression Function of BMW Gatan Leurent and Sren S.

Introduction Solving AX systems BMW analysis Conclusion Practical Near-Collisions on the Compression Function of BMW Gatan Leurent and Sren S. Thomsen University of Luxembourg Technical University of Denmark FSE 2011 G. Leurent, S.

840 views • 50 slides
Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

602 views • 23 slides
Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

GGI, 18.04.2019 Transplanckian collisions of particles, strings and branes: results & challenges Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane collisions (2010->) III: Gravitational

883 views • 67 slides
Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Electron-Molecule Collision Calculations on Vector and MPP Systems Carl Winstead Vincent McKoy Cray site: Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron transport and energy deposition

365 views • 23 slides
From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gatan

935 views • 37 slides
Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit 5: More Collisions 3D Modelling & Animation Module F21MA Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation Unit contents Detecting collisions Springing off a fixed ball

460 views • 23 slides
October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

Florida Public Transportation Association Annual Conference Florida Transit Safety Network October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and rear- ending collisions Show Florida transit Motorbus

443 views • 43 slides
Fast Text Compression with Neural Networks Matthew Mahoney Florida Institute of Technology

Fast Text Compression with Neural Networks Matthew Mahoney Florida Institute of Technology

Fast Text Compression with Neural Networks Matthew Mahoney Florida Institute of Technology http://cs.fit.edu/~mmahoney/compression/ How text compression works Neural implementations have been too slow How to make them faster How

569 views • 10 slides
A Little Confusing Without [a block digest], one must query the offset digest with all

A Little Confusing Without [a block digest], one must query the offset digest with all

A Little Confusing Without [a block digest], one must query the offset digest with all possible offsets: although the extra space afforded by not having a block digest increases the accuracy of the offset digest, the testing of every offset

125 views • 9 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross DaMoN 2015, Melbourne, Victoria, Australia Databases & Compression Process data on disk Nearly unlimited capacity Affects query

490 views • 48 slides
On Variable Dependencies and Compressed Pattern Databases Malte Helmert 1 Nathan Sturtevant 2

On Variable Dependencies and Compressed Pattern Databases Malte Helmert 1 Nathan Sturtevant 2

Introduction Good News Bad News Conclusion On Variable Dependencies and Compressed Pattern Databases Malte Helmert 1 Nathan Sturtevant 2 Ariel Felner 3 1 University of Basel, Switzerland 2 University of Denver, USA 3 Ben Gurion University,

1.05k views • 35 slides
LFZip: Lossy compression of multivariate time series data via improved prediction Shubham

LFZip: Lossy compression of multivariate time series data via improved prediction Shubham

LFZip: Lossy compression of multivariate time series data via improved prediction Shubham Chandak Stanford University DCC 2020 Paper ID: 111 Joint work with Kedar Tatwawadi, Stanford Tsachy Weissman, Stanford Chengtao Wen, Siemens

256 views • 25 slides
Data Compression Lossless And Lossy Compression compressedData = compress(originalData)

Data Compression Lossless And Lossy Compression compressedData = compress(originalData)

Data Compression Lossless And Lossy Compression compressedData = compress(originalData) Reduce the size of data. decompressedData = decompress(compressedData) Reduces storage space and hence storage cost. When originalData =

362 views • 8 slides
Raimund Seidel

Raimund Seidel

Raimund Seidel Universitt des Saarlandes

1.55k views • 125 slides

More recommend