rebound attack
play

Rebound Attack Florian Mendel Institute for Applied Information - PowerPoint PPT Presentation

Sep 23, 2023 •273 likes •1.01k views

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

  1. Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/

  2. Outline Motivation 1 2 Whirlpool Hash Function Application of the Rebound Attack 3 Summary 4

  3. SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt

  4. SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt

  5. The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, . . .

  6. The Rebound Attack E bw E in E fw inbound outbound outbound Applies to block cipher and permutation based designs: E = E fw ◦ E in ◦ E bw P = P fw ◦ P in ◦ P bw

  7. The Rebound Attack E bw E in E fw inbound outbound outbound Inbound phase efficient meet-in-the-middle phase in E in using available degrees of freedom Outbound phase probabilistic part in E bw and E fw repeat inbound phase if needed

  8. The Whirlpool Hash Function M 1 M 2 M 3 M t f f f f H ( m ) IV designed by Barretto and Rijmen [BR00] evaluated by NESSIE standardized by ISO/IEC 10118-3:2003 iterative, based on the Merkle-Damg˚ ard design principle message block, chaining values, hash size: 512 bit

  9. The Whirlpool Compression Function key schedule H j − 1 SB SC MR AC state update M j H j SB SC MR AK 512-bit hash value and using 512-bit message blocks Block-cipher based design (similar to AES) Miyaguchi-Preneel mode with conservative key schedule

  10. The Whirlpool Round Transformations SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + The state update and the key schedule update an 8 × 8 state S and K of 64 bytes 10 rounds each AES like round transformation r i = AK ◦ MR ◦ SC ◦ SB

  11. Notations Round i C i K SB K SC K MR K i − 1 K i i i i SB SC MR AC S SB S SC S MR S i − 1 S i i i i SB SC MR AK

  12. Collision Attack on Whirlpool key schedule H j − 1 SB SC MR AC state update M j H j SB SC MR AK 1-block collision: fixed H j − 1 (to IV ) f ( M j , H j − 1 ) = f ( M ∗ j , H j − 1 ) , M j � = M ∗ j generic complexity 2 256 ( n = 512)

  13. Collision Attack on Whirlpool key schedule H j − 1 SB SC MR AC state update ∆ M j H j SB SC MR AK 1-block collision: fixed H j − 1 (to IV ) f ( M j , H j − 1 ) = f ( M ∗ j , H j − 1 ) , M j � = M ∗ j generic complexity 2 256 ( n = 512)

  14. Collision Attack on 4 Rounds K 0 K 1 K 2 K 3 K 4 SB SB SB SB IV SC SC SC SC MR MR MR MR AC AC AC AC S 0 S 3 S 1 S 2 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: ( 2 − 5 ) 81 = 2 − 405

  15. Collision Attack on 4 Rounds K 0 K 1 K 2 K 3 K 4 constant SB SB SB SB IV SC SC SC SC MR MR MR MR AC AC AC AC S 0 S 3 S 1 S 2 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: ( 2 − 5 ) 81 = 2 − 405

  16. Collision Attack on 4 Rounds K 0 K 1 K 2 K 3 K 4 constant SB SB SB SB IV SC SC SC SC MR MR MR MR AC AC AC AC S 0 S 3 S 1 S 2 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: ( 2 − 5 ) 81 = 2 − 405 How to find a message pair following the differential trail?

  17. First: Use Truncated Differences S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK byte-wise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2 − 56 for 8 → 1 we can remove many restrictions (more freedom) hopefully less complexity of message search

  18. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification?

  19. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification? meet in the middle?

  20. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification? meet in the middle? inside out?

  21. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification? meet in the middle? inside out? rebound!

  22. Rebound Attack on 4 Rounds [MRST09] S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward

  23. Inbound Phase S SB S SC S MR S 2 2 3 3 3a c0 e6 MR SC b9 SB 5a AK MR 8c 08 c0 get values (1) Start with arbitrary differences in state S MR 3

  24. Inbound Phase S SB S SC S MR S 2 2 3 3 e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3

  25. Inbound Phase S SB S SC S MR S 2 2 3 3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences differences get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3 linearly propagate row-wise forward from S SC to S 2 2

  26. Inbound Phase S SB S SC S MR S 2 2 3 3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 ? MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences get values get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3 linearly propagate row-wise forward from S SC to S 2 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2 − xx we get 2 xx solutions for each row

  27. Match-in-the-Middle for Single S-box ∆ a Sbox ∆ b Check for matching input/output differences Sbox ( x ) ⊕ Sbox ( x ⊕ ∆ a ) = ∆ b Use Difference Distribution Table (DDT)

  28. Difference Distribution Table (Whirlpool) in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 6 2 0 0 6 2 0 0 0 4 0 0 0 0 0 02 0 0 0 0 0 0 0 2 0 0 0 0 4 0 0 0 03 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 2 04 0 0 2 2 0 4 0 0 0 2 2 2 2 0 2 0 05 0 0 0 0 0 2 0 2 0 0 0 0 0 0 4 2 06 . 4 0 2 0 0 2 0 0 2 6 2 4 0 2 2 0 . 07 . 0 2 2 0 0 2 0 0 4 0 2 0 2 0 2 0 . 08 . 0 0 0 0 2 2 2 0 0 0 0 2 2 4 4 0 . 09 8 0 0 0 2 4 2 2 0 0 0 0 0 2 0 2 0a 0 0 0 0 2 0 2 0 2 0 2 0 0 0 0 0 0b 8 2 2 2 2 0 0 0 0 2 2 2 2 2 0 4 0c 0 2 2 0 0 0 0 4 0 2 2 0 0 2 4 2 0d 0 2 2 0 0 2 4 4 0 0 2 2 0 0 0 2 0e 4 0 4 2 0 0 0 0 2 0 2 0 4 2 0 0 0f 0 2 0 0 0 2 0 0 0 0 0 0 2 0 2 2 . . . Differences can be connected if there is a non-zero entry in the table

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

783 views • 46 slides
Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

945 views • 51 slides
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied

556 views • 23 slides
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

562 views • 35 slides
Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa Anas Tschichold Go Goal: No Rebound! after an efficiency improvement to produce one unit, price will not decrease and therefore demand will

786 views • 39 slides
How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1 Problem 2 4 Results

543 views • 27 slides
Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas Peyrin 3 1 cole Normale Suprieure, France 2 University of Versailles, France 3 Nanyang Technological University, Singapore FSE2012 March 19,

1.24k views • 71 slides
The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys recovery, providing an analysis of recent OpenTable booking data and the latest news out of the sector. Future issues will also include first-hand

48 views • 3 slides
Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse gas abatement potential for Switzerland in 2025 Hilty, University of Zurich Research Report, 2017 2 Historical Perspective The Rebound Effect How

746 views • 41 slides
REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference, Vienna, September 3-6, 2017 Mona Chitnis (University of Surrey) Roger Fouquet (LSE) Steve Sorrell (University of Sussex) Outline Rebound

300 views • 17 slides
The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio

The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio

The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio Housing Summit Fregonese Associates September 30 th , 2016 The (Walkable) Urban Rebound Walkable urbanism development is now propelling real estate

614 views • 46 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation

Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/345431176 Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation November 2020 CITATIONS READ 0

298 views • 27 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with

Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with

1 Brita Bye, Taran Fhn, Orvika Rosnes: Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with bottom-up information 22 nd Annual Conference of EAERE Zrich June 2016 1 Background One of the

544 views • 35 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
NUCLEAR SOLUTIONS TO MEET SPECIFIC TERRITORIAL DEMANDS Andrey Rozhdestvin Regional Vice

NUCLEAR SOLUTIONS TO MEET SPECIFIC TERRITORIAL DEMANDS Andrey Rozhdestvin Regional Vice

THE STATE ATOMIC ENERGY CORPORATION ROSATOM NUCLEAR SOLUTIONS TO MEET SPECIFIC TERRITORIAL DEMANDS Andrey Rozhdestvin Regional Vice President, Director of Rosatom Western Europe 2019 THE NEW NUCLEAR ARCTICA ICEBREAKER The content of this

248 views • 10 slides
Small Modular Reactors Smaller is beautiful versus Bigger is better?... II:

Small Modular Reactors Smaller is beautiful versus Bigger is better?... II:

Small Modular Reactors Smaller is beautiful versus Bigger is better?... II: technology Sara Boarin of SMR Examples From IAEA 2016 www.iaea.org/NuclearPower/SMR/ Examples of SMR: KLT-40s (RUS) KLT-40s Main Data Type

665 views • 8 slides
Distributed Consensus Paxos Ethan Cecchetti October 18, 2016 CS6410 Some structure taken from

Distributed Consensus Paxos Ethan Cecchetti October 18, 2016 CS6410 Some structure taken from

Distributed Consensus Paxos Ethan Cecchetti October 18, 2016 CS6410 Some structure taken from Robert Burgesss 2009 slides on this topic State Machine Replication (SMR) Server 1 Server 2 View a server as a state machine. S 0 S 0 S 0 To

575 views • 22 slides
Applying K-means (or flowPeaks) and Support vector machines to the sample classification problem

Applying K-means (or flowPeaks) and Support vector machines to the sample classification problem

Applying K-means (or flowPeaks) and Support vector machines to the sample classification problem using the flow cytometry data Yongchao Ge Mount Sinai School of Medicine FlowCAP II summit, Sept 22-23 Outline Objective Kmeans and

479 views • 25 slides
Geometry of Voting Christian Klamler - University of Graz Estoril, 12 April 2010 Introduction 2

Geometry of Voting Christian Klamler - University of Graz Estoril, 12 April 2010 Introduction 2

Geometry of Voting Christian Klamler - University of Graz Estoril, 12 April 2010 Introduction 2 We have seen what paradoxical situations could occur Now its time to provide some explanation for it Don Saaris Basic Geometry

614 views • 33 slides
Cloud overview "The illiterate of the 21st century will not be those who cannot read and

Cloud overview "The illiterate of the 21st century will not be those who cannot read and

Cloud overview "The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn." - Alvin Toffler, "Future Shock" (1970) From a recruiter (for a company with a

432 views • 27 slides
Designing Norms Whats the friendliest place on the web that CS 278 | Stanford University |

Designing Norms Whats the friendliest place on the web that CS 278 | Stanford University |

Reply in Zoom chat: Designing Norms Whats the friendliest place on the web that CS 278 | Stanford University | Michael Bernstein youve seen? Last time: bustling spaces Eyes on street: bustling spaces and ghost towns Contribution

736 views • 48 slides
Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino

Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino

Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, Franois-Xavier Standaert TU Darmstadt (Germany), Radbout University

774 views • 39 slides

More recommend