pseudo preimage attack on reduced round gr stl hash
play

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and - PowerPoint PPT Presentation

Jun 03, 2023 •119 likes •381 views

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute for

  1. SKLOIS 信息安全国家重点实验室 (Pseudo) Preimage Attack on Reduced-Round Grøstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 中国科学院软件研究所 Institute for Infocomm Research, Singapore Institute of Software, Chinese Academy of Sciences .

  2. Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 2 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  3. Introduction Meet-in-the-Middle pre-image attacks  Applied to full MD4, MD5,HAVAL-3/4,Tiger and reduced-round HAS-160, RIPEMD, SHA-0/1, SHA-2 etc.  Tricks:  Splice and Cut Techniques  Bicliques, Initial Structure (Message Stealing), local collision  Partial-Matching (Relations between deterministic values) 信息安全国家重点实验室 中国科学院软件研究所 3 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  4. Introduction Meet-in-the-Middle pre-image attacks  Yu Sasaki proposed the MitM preimage attack on AES- like structures for the first time at FSE 2011  Target: Whirlpool and AES hash modes  Use freedom degrees of the state for chunk separation 信息安全国家重点实验室 中国科学院软件研究所 4 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  5. Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 5 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  6. Pseudo-Preimage Attack on 5-round Grøstl-256 Specification of Grøstl hash function  Wide-pipe MD structure with output transformation  Permutations P and Q are AES-like structures with 8 × 8 states(Grøstl-256) and 8 × 16 states(Grøstl-512)  10 rounds for Grøstl-256 and 14 rounds for Grøstl-512 M Q H i-1 P H i X P 信息安全国家重点实验室 中国科学院软件研究所 6 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  7. Pseudo-Preimage Attack on 5-round Grøstl-256 Properties of the compression function  2n-bit state, 𝐺 𝐼 , 𝑁 = 𝑄 𝐼 ⊕ 𝑁 ⊕ 𝑅 𝑁 ⊕ 𝐼  With 𝐼 ′ = 𝐼 ⊕ 𝑁 , 𝐺 𝐼′ , 𝑁 = 𝑄 𝐼′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁  Bounds for generic attacks  Pre-image attack: 2 𝑜 • 𝑄 𝐼′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁 = 𝑈 • birthday attack on 2n-bit state 2𝑜  Collision attack: 2 3 ′ ⊕ 𝐼 1 ′ ⊕ 𝑅 𝑁 1 ⊕ 𝑁 1 ⊕ 𝑄 𝐼 2 ′ ⊕ 𝐼 2 ′ ⊕ 𝑅 𝑁 2 ⊕ 𝑁 2 = 0 • 𝑄 𝐼 1 • generalized birthday attack on 2n-bit state with four entries M Q H i H i-1 P 信息安全国家重点实验室 中国科学院软件研究所 7 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  8. Outline of the attack 信息安全国家重点实验室 中国科学院软件研究所 8 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  9. Pseudo-Preimage Attack on 5-round Grøstl-256 Attack outline  Pseudo pre-image (H,M)  𝐺 𝐼 , 𝑁 = 𝑌 , 𝑄 𝑌 ⊕ 𝑌 = ∗ || 𝑈  X is a pre-image of the output transformation  With 𝐼 ′ = 𝐼 ⊕ 𝑁 , 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁 ⊕ 𝑌 = 0 M Q X X H P P T 信息安全国家重点实验室 中国科学院软件研究所 9 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  10. Pseudo-Preimage Attack on 5-round Grøstl-256 How to convert the partial pre-images of 𝑄 𝑌 ⊕ 𝑌 into pseudo pre-image of the hash function 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ ⊕ = 0 𝑅 𝑁 ⊕ 𝑁 𝑌 2 𝑦 3 × 2 𝑦 2 × 2 𝑦 1 × b 2n-b 2n 2n Lookup table 1 Lookup table 2 2 𝑦 1 +𝑦 2 −𝑐 × b 2n-b 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 ≥ 1 ⇒ 𝑦 1 + 𝑦 2 + 𝑦 3 ≥ 2𝑜 zero 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 × 2n unknown 信息安全国家重点实验室 中国科学院软件研究所 10 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  11. Pseudo-Preimage Attack on 5-round Grøstl-256 Complexity evaluation  X: Fixed position partial preimage (n-bit) of 𝑄 𝑌 ⊕ 𝑌  Let complexity to find one X be 2 𝐷 1 ( 2𝑜 , 𝑜 )  M: Randomly chosen message with padding  Complexity=one Q call=1/2 compression function call  H’: Chosen position partial preimage (b-bit) of 𝑄 𝐼 ′ ⊕ 𝐼 ′  Let complexity to find one H’ be 2 𝐷 2 ( 2𝑜 , 𝑐 ) 信息安全国家重点实验室 中国科学院软件研究所 11 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  12. Pseudo-Preimage Attack on 5-round Grøstl-256 Overall complexity of the attack is 2 𝑦 1 +𝐷 1 ( 2𝑜 , 𝑜 ) + 2 𝑦 3 +𝐷 2 ( 2𝑜 , 𝑐 ) + 2 𝑦 2 −1 + 2 𝑦 1 +𝑦 2 −𝑐 𝐷 𝑈𝑈 2 𝑦 2 −1 (1 + 𝐷 𝑈𝑈 ) 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ ⊕ = 0 𝑅 𝑁 ⊕ 𝑁 𝑌 2 𝑦 3 × 2 𝑦 2 × 2 𝑦 1 × b 2n-b 2n 2n 2 𝑦 1 +𝐷 1 ( 2𝑜 , 𝑜 ) 2 𝑦 3 +𝐷 2 ( 2𝑜 , 𝑐 ) Lookup table 1 Lookup table 2 2 𝑦 1 +𝑦 2 −𝑐 × b 2n-b 2 𝑦 1 +𝑦 2 −𝑐 𝐷 𝑈𝑈 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 × 2n 信息安全国家重点实验室 中国科学院软件研究所 12 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  13. Partial preimage attacks on 𝑄 𝑌 ⊕ 𝑌 信息安全国家重点实验室 中国科学院软件研究所 13 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  14. Pseudo-Preimage Attack on 5-round Grøstl-256 Evaluation of 𝐷 1 ( 2𝑜 , 𝑜 ) (fixed position partial preimage)  Freedom degrees in blue and red bytes: 64 and 48 bits  Size of the matching point: 64 bits  Size of the full match: 256 bits  Complexity: 2 207 P(X) calls = 2 206 compression function calls 信息安全国家重点实验室 中国科学院软件研究所 14 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  15. Pseudo-Preimage Attack on 5-round Grøstl-256 Evaluation of 𝐷 2 ( 2𝑜 , 𝑐 ) (chosen position partial preimage)  Note: we can choose the positions of the target zero bits  Choose optimal positions to maximize the size of the matching point 信息安全国家重点实验室 中国科学院软件研究所 15 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  16. Pseudo-Preimage Attack on 5-round Grøstl-256 Graphs of 𝑛 ( 𝑐 ) and 𝐷 2 ( 2𝑜 , 𝑐 ) for different b Grøstl-256 信息安全国家重点实验室 中国科学院软件研究所 16 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  17. Pseudo-Preimage Attack on 5-round Grøstl-256 Overall complexity of pseudo-preimage attack on 5-round Grøstl-256  When 𝑐 = 35 , the overall complexity reaches its minimum value 2 244 . 85 信息安全国家重点实验室 中国科学院软件研究所 17 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  18. Results on Grøstl-512 信息安全国家重点实验室 中国科学院软件研究所 18 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  19. Pseudo-Preimage Attack on 8-round Grøstl-512 Preimage attack on the output transformation 信息安全国家重点实验室 中国科学院软件研究所 19 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  20. Summary of results Algorithm Target Type Rounds Time Memory Source Martin 2 64 - Hash Function Collision 3 Schlæffer Compression Semi-Free-Start Martin 2 112 2 64 6 Function Collision Schlæffer Jérémy 2 368 2 64 Permutation Distinguisher 9 Jean et al. Grøstl-256 Zero-Sum Christina 2 509 - Permutation 10 Distinguisher Boura et al. Output 2 206 2 48 Preimage 5 Ours Transformation Pseudo 2 244 . 85 2 230 . 13 Hash Function 5 Ours Preimage Martin 2 192 - Hash Function Collision 3 Schlæffer Compression Semi-Free-Start 2 152 2 56 7 Yu Sasaki Function Collision Jérémy 2 392 2 64 Grøstl-512 Permutation Distinguisher 10 Jean et al. Output 2 495 2 16 Preimage 8 Ours Transformation Pseudo 2 507 . 32 2 507 . 00 Hash Function 8 Ours Preimage 信息安全国家重点实验室 中国科学院软件研究所 20 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  21. Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 21 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jrmy Jean 1 joint work with: Jian Guo 1 Gatan Leurent 2 Thomas Peyrin 1 Lei Wang 1 1 Nanyang Technological University, Singapore 2 INRIA, France

847 views • 40 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline--divided into 3 parts u Ketje u Related Works u Cube-like

454 views • 27 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological

Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological University, Singapore Technical University of Denmark NTU, 25 Nov

249 views • 21 slides
A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented by Orhun Kara 1 Outline The AES A 5-round distinguisher Attack on 7-round AES-192, AES-256 and 8-round AES-256 Some optimizations

504 views • 19 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1 Outline Backgrounds Specification Previous Analysis Slidex Attack Application Multicollision Application

744 views • 42 slides
Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Algorithmic Analysis of Polygonal Hybrid Systems G ERARDO S CHNEIDER V ERIMAG G RENOBLE

Algorithmic Analysis of Polygonal Hybrid Systems G ERARDO S CHNEIDER V ERIMAG G RENOBLE

Algorithmic Analysis of Polygonal Hybrid Systems G ERARDO S CHNEIDER V ERIMAG G RENOBLE Algorithmic Analysis of Polygonal Hybrid Systems p.1/66 Hybrid Systems Hybrid Systems: interaction between discrete and continuous behaviors

1.72k views • 147 slides
CS 188: Artificial Intelligence Hidden Markov Models Instructors: Pieter Abbeel and Dan Klein ---

CS 188: Artificial Intelligence Hidden Markov Models Instructors: Pieter Abbeel and Dan Klein ---

CS 188: Artificial Intelligence Hidden Markov Models Instructors: Pieter Abbeel and Dan Klein --- University of California, Berkeley [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188

739 views • 22 slides
Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers

Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers

Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers Thomas s Mender Ben Benjamin Huppertz Sr. Manager, Database Marketing Sr. Research Manager Whirlpool MECLABS Session Speaker Thomas Mender

648 views • 51 slides
STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

mjos@item.ntnu.no STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O. Saarinen Norwegian University of Science and Technology Directions in Authentication Ciphers '14 24 August 2014, Santa Barbara USA 1

220 views • 19 slides
1 Implied Conditional Independencies Markov Models Recap X 1 X 2 X 3 X 4 Explicit assumption

1 Implied Conditional Independencies Markov Models Recap X 1 X 2 X 3 X 4 Explicit assumption

Reasoning over Time or Space CSE 473: Artificial Intelligence Markov Models Often, we want to reason about a sequence of observations Speech recognition Robot localization User attention Medical monitoring Need to introduce

266 views • 3 slides
Supplemental Information First-Quarter 2013 Earnings Call Market & Financial Overview Q1

Supplemental Information First-Quarter 2013 Earnings Call Market & Financial Overview Q1

Supplemental Information First-Quarter 2013 Earnings Call Market & Financial Overview Q1 Capital Markets & Leasing Markets Volumes

442 views • 19 slides
Moises Norena Global Director of Innovation WHAT IS INNOVATION ABOUT? FROM TO $375 Before

Moises Norena Global Director of Innovation WHAT IS INNOVATION ABOUT? FROM TO $375 Before

Driving Maximum Value Extraction of Innovation Moises Norena Global Director of Innovation WHAT IS INNOVATION ABOUT? FROM TO $375 Before innovation embedment Innovation embedded $350 ASV CAGR +3.9 % $325 02 09 Average ASV

311 views • 9 slides
Awards Ceremony 2018 Best Practices in Education Award Minerva Informatics Equality Award

Awards Ceremony 2018 Best Practices in Education Award Minerva Informatics Equality Award

Awards Ceremony 2018 Best Practices in Education Award Minerva Informatics Equality Award ERCIM Cor Baayen Young Researcher Award Awards Ceremony 2018 Best Practices in Education Award Michael Klling (Kings College London) Chair

225 views • 19 slides

More recommend