security of sha 3 and related constructions
play

Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ - PowerPoint PPT Presentation

Sep 30, 2022 •227 likes •889 views

Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ Paris, France. 27th March 2019 J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 1 / 49 Acknowledgements Thomas Peyrin FSE 2019 @ Paris Security of SHA-3

  1. Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ Paris, France. 27th March 2019 J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 1 / 49

  2. Acknowledgements Thomas Peyrin FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Lei Wei Ling Song Danping Shi Jean-René Reinhard Kexin Qiao Meicheng Liu Many thanks go to my collaborators on this topic: Guozhen Liu San Ling Guohong Liao Jérémy Jean Henri Gilbert Thomas Fuhr Alexandre Duc Colin Chaigneau 2 / 49

  3. Outlines 5 FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Concluding Remarks 6 Key-Recovery Attacks Distinguishers 1 4 Collision Attacks 3 Preimage Attacks 2 Introduction to Keccak 3 / 49

  4. Outline 5 FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Concluding Remarks 6 Key-Recovery Attacks Distinguishers 1 4 Collision Attacks 3 Preimage Attacks 2 Introduction to Keccak 4 / 49

  5. SHA-3 ( Keccak ) Hash Function The sponge construction [BDPV11] b -bit permutation f The message is padded and then split into r -bit blocks. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 4 / 49 Two parameters: bitrate r , capacity c , and b = r + c .

  6. SHA-3 Hash Function Keccak - f permutation FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo http://www.iacr.org/authors/tikz/ 5 / 49 steps: each round R consists of five 24 rounds of 64-bit lanes, 1600 bits: seen as a 5 × 5 array A [ x , y ] , 0 ≤ x , y < 5 Row Lane Column Slice R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : the only nonlinear operation

  7. SHA-3 Hash Function http://keccak.noekeon.org/ The Column Parity kernel J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 6 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ◮ If C [ x ] = 0 , 0 ≤ x < 5 , then the state A is in the CP kernel.

  8. SHA-3 Hash Function 21 10 43 25 39 41 45 15 8 20 18 2 61 56 14 J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 3 7 / 49 55 28 http://keccak.noekeon.org/ 1 62 0 27 36 44 6 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] Rotation offsets r [ x , y ] x = 0 x = 1 x = 2 x = 3 x = 4 y = 0 y = 1 y = 2 y = 3 y = 4

  9. SHA-3 Hash Function J. Guo FSE 2019 @ Paris Security of SHA-3 and Related Constructions 8 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ π step: permutation on lanes 0,0 1,0 2,0 3,0 4,0 0,0 1,1 2,2 3,3 4,4 0,1 1,1 2,1 3,1 4,1 3,0 4,1 0,2 1,3 2,4 π 0,2 1,2 2,2 3,2 4,2 1,0 2,1 3,2 4,3 0,4 0,3 1,3 2,3 3,3 4,3 4,0 0,1 1,2 2,3 3,4 0,4 1,4 2,4 3,4 4,4 2,0 3,1 4,2 0,3 1,4 A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ]

  10. SHA-3 Hash Function The algebraic degrees of FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo 9 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 ⊕ ( x 1 ⊕ 1) · x 2 y 1 = x 1 ⊕ ( x 2 ⊕ 1) · x 3 y 2 = x 2 ⊕ ( x 3 ⊕ 1) · x 4 y 3 = x 3 ⊕ ( x 4 ⊕ 1) · x 0 y 4 = x 4 ⊕ ( x 0 ⊕ 1) · x 1 y 0 y 1 y 2 y 3 y 4 χ and χ − 1 are 2 and 3.

  11. SHA-3 Hash Function Adding one round-dependent constant to the first ”lane”, to destroy the symmetry. The round function would be symmetric. All rounds would be the same. Fixed points exist. Vulnerable to rotational attacks, slide attacks, ... J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 10 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ι step: adding a round constant to the state Without ι

  12. SHA-3 Hash Function Round function of Keccak - f FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo 11 / 49 Internal state A: a 5 × 5 array of 64-bit lanes θ step C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ step A [ x , y ] = A [ x , y ] ≪ r [ x , y ] - The constants r [ x , y ] are the rotation offsets. π step A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] χ step A [ x , y ] = A [ x , y ] ⊕ (( A [ x + 1 , y ]) & A [ x + 2 , y ]) ι step A [0 , 0] = A [0 , 0] ⊕ RC - RC [ i ] are the round constants. L � π ◦ ρ ◦ θ The only non-linear operation is χ step.

  13. Outline 5 FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Concluding Remarks 6 Key-Recovery Attacks Distinguishers 1 4 Collision Attacks 3 Preimage Attacks 2 Introduction to Keccak 12 / 49

  14. Preimage Attacks — Linear Structures Core ideas: treat the bits of message block as variables, and convert the preimage finding problem into a system of linear equation; the rounds as possible. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 12 / 49 algebraic degree of the variables is kept to be at most 1 for as many limit the algebraic degrees increased by χ . limit the diffusion effect of θ by forcing the variables in CP kernel.

  15. Observation When there is no neighbouring variables in the input of an Sbox, the application of does NOT increase algebraic degrees. Allows at most independent variables, i.e., at least out of bits need to be fixed in each Sbox. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 13 / 49 How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 .

  16. Observation When there is no neighbouring variables in the input of an Sbox, the Allows at most independent variables, i.e., at least out of bits need to be fixed in each Sbox. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 13 / 49 How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees.

  17. 13 / 49 Allows at most FSE 2019 @ Paris Observation When there is no neighbouring variables in the input of an Sbox, the Security of SHA-3 and Related Constructions J. Guo need to be fixed in each Sbox. bits out of independent variables, i.e., at least How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees. 0 1 x 0 c x 2 x 0 + 1 + 0 c √ x 2 c · x 2 x 0 · c

  18. 13 / 49 Allows at most FSE 2019 @ Paris Observation When there is no neighbouring variables in the input of an Sbox, the Security of SHA-3 and Related Constructions J. Guo need to be fixed in each Sbox. bits out of independent variables, i.e., at least How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees. 0 1 x 0 c x 2 x 1 x 2 c x 0 + 1 + 0 c + c √ x 2 c · x 2 x 0 · c x 1 · x 2 ×

  19. 13 / 49 need to be fixed in each Sbox. FSE 2019 @ Paris Observation When there is no neighbouring variables in the input of an Sbox, the Security of SHA-3 and Related Constructions J. Guo How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees. 0 1 x 0 c x 2 x 1 x 2 c x 0 + 1 + 0 c + c √ x 2 c · x 2 x 0 · c x 1 · x 2 × Allows at most 2 independent variables, i.e., at least 3 out of 5 bits

  20. Linear Structure — A Simple Example Figure: 1-round linear structure of Keccak -p * [w] ith the degrees of FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo All variables do not multiply with each other in the first round. : 0. 1; : : algebraic degree at most 1; : variables; freedom up to 512, where 14 / 49 0,0 1,0 2,0 3,0 4,0 0,0 1,0 2,0 3,0 4,0 0,0 1,1 2,2 3,3 4,4 0,0 1,1 2,2 3,3 4,4 0,1 1,1 2,1 3,1 4,1 0,1 1,1 2,1 3,1 4,1 3,0 4,1 0,2 1,3 2,4 3,0 4,1 0,2 1,3 2,4 π ◦ ρ ι ◦ χ θ 0,2 1,2 2,2 3,2 4,2 0,2 1,2 2,2 3,2 4,2 1,0 2,1 3,2 4,3 0,4 1,0 2,1 3,2 4,3 0,4 0,3 1,3 2,3 3,3 4,3 0,3 1,3 2,3 3,3 4,3 4,0 0,1 1,2 2,3 3,4 4,0 0,1 1,2 2,3 3,4 0,4 1,4 2,4 3,4 4,4 0,4 1,4 2,4 3,4 4,4 2,0 3,1 4,2 0,3 1,4 2,0 3,1 4,2 0,3 1,4 = = � = 0 � = 0 Result : one-round linear structure with dimension up to 512 . The θ effect is limited by forcing � = 0 (or 1 ) in two columns.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Geometric constructions related to isoparametric foliations Chao Qian Beijing Institute of

Geometric constructions related to isoparametric foliations Chao Qian Beijing Institute of

Geometric constructions related to isoparametric foliations Chao Qian Beijing Institute of Technology Based on the joint works with Prof. Peng and Tang 02. 06. 2019 Chao Qian Geometric constructions related to isoparametric foliations

778 views • 46 slides
CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong Last Lecture Symmetric &amp; Public key encryption Secure Multiparty Computations Problem and security definitions General constructions

492 views • 48 slides
CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong Last Lecture Symmetric &amp; Public key encryption Secure Multiparty Computations Problem and security definitions General constructions

846 views • 55 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery Ananth Raghunathan Stanford University Pseudorandom Functions (PRFs) x { 0 , 1 } R k K x k PRF PRF( k , x ) x Rand Rand(

565 views • 23 slides
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th

463 views • 42 slides
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&amp;D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

318 views • 19 slides
Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1

Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1 , Jean-Sbastien Coron 2 Emmanuel

1.04k views • 99 slides
Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.) What weak bounds? ...from encrypting lots of data Intel Hardware RNG: Single-machine

246 views • 23 slides
1 Privacy has become the mainstay of security We have loads of data that we freely give away via

1 Privacy has become the mainstay of security We have loads of data that we freely give away via

Introduction and welcome Two main topics: Security related Research related Theyre related but each has it own distinct requirements 1 Privacy has become the mainstay of security We have loads of data that we freely give away via web pages

448 views • 21 slides
Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 9 1 / 43 Introduction 1 2 The Relationship between Active and Passive Approaches to Passive 3 From Structural

597 views • 43 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum

Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum

Second International Conference on Quantum Error Correction University of Southern California, Dec. 5-9 2011 Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum Gates Dynamically Corrected Quantum

700 views • 25 slides
Chapter 7: Raising and Control Constructions Syntactic Constructions in English Kim and Michaelis

Chapter 7: Raising and Control Constructions Syntactic Constructions in English Kim and Michaelis

Chapter 7: Raising and Control Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 7 1 / 48 Raising and Control Predicates 1 2 Differences between Raising and Control Verbs Subject

635 views • 48 slides
Task 3 - Vulnerability and damageability of constructions under impact and explosion Florea Dinu

Task 3 - Vulnerability and damageability of constructions under impact and explosion Florea Dinu

COST C26 Final Conference: Urban Habitat Constructions under Catastrophic Events Naples, Italy, 16-18 September 2010 WG3 - Impact and explosion resistance Task 3 - Vulnerability and damageability of constructions under impact and

787 views • 36 slides
IBM X-Force signatures related to ICS related products and protocols Provides the protection for

IBM X-Force signatures related to ICS related products and protocols Provides the protection for

OT Seize the last chance of preventing OT Cyberattack proactively Gwen Hsieh Sr. Offering Manger, IBM Security IBM X-Force signatures related to ICS related products and protocols

220 views • 10 slides
Trainable Approaches for Surface NLG* Adwait Ratnaparkhi WhizBang! Labs -- Research *Funded by

Trainable Approaches for Surface NLG* Adwait Ratnaparkhi WhizBang! Labs -- Research *Funded by

Trainable Approaches for Surface NLG* Adwait Ratnaparkhi WhizBang! Labs -- Research *Funded by IBM TJ Watson Research Center What is surface NL generation ? Module that produces grammatical NL phrase to describe an input semantic

712 views • 18 slides
Chinese Characters Ling 203 Languages of the World Overview Most Chinese characters bear no

Chinese Characters Ling 203 Languages of the World Overview Most Chinese characters bear no

Chinese Characters Ling 203 Languages of the World Overview Most Chinese characters bear no resemblance to the object/idea they represents, though many of them did historically. Most Chinese characters are such that they give clues

204 views • 16 slides
Optimization Problems LING 572 Advanced Statistical Methods for NLP January 28, 2020 1

Optimization Problems LING 572 Advanced Statistical Methods for NLP January 28, 2020 1

Optimization Problems LING 572 Advanced Statistical Methods for NLP January 28, 2020 1 Announcements HW2 grades posted: 85.7 avg Historically the hardest / most time-consuming assignment of 572 [NB: we accept +/- 5% differences from

799 views • 26 slides
Compiling Comp Ling Practical weighted dynamic programming and the Dyna language -Michael Jordan

Compiling Comp Ling Practical weighted dynamic programming and the Dyna language -Michael Jordan

An Anecdote from ACL05 Compiling Comp Ling Practical weighted dynamic programming and the Dyna language -Michael Jordan Jason Eisner Eric Goldlust Noah A. Smith HLT-EMNLP, October 2005 1 2 An Anecdote from ACL05 Conclusions to draw

228 views • 8 slides
Kumar Sambhav Pandey, Hitesh Shrimali, Dinesh Kumar B School of Computing and Electrical

Kumar Sambhav Pandey, Hitesh Shrimali, Dinesh Kumar B School of Computing and Electrical

Kumar Sambhav Pandey, Hitesh Shrimali, Dinesh Kumar B School of Computing and Electrical Engineering, Indian Institute of Technology, Mandi Neeraj Goel Department of Computer Science &amp; Engineering, Indian Institute of Technology, Ropar

479 views • 33 slides
MobiArch 2008 MobiArch 2008 Shall we apply paging technologies to Shall we apply paging

MobiArch 2008 MobiArch 2008 Shall we apply paging technologies to Shall we apply paging

MobiArch 2008 MobiArch 2008 Shall we apply paging technologies to Shall we apply paging technologies to Proxy Mobile IPv6 ? Jong-Hyouk Lee, Tai-Myoung Chung (Sungkyunkwan University, Korea) J H k L T i M Ch (S k k U i it K )

293 views • 13 slides
FraudVis : Understanding Unsupervised Fraud Detection Algorithms Jiao Sun 1 , Qixin Zhu 1 , Zhifei

FraudVis : Understanding Unsupervised Fraud Detection Algorithms Jiao Sun 1 , Qixin Zhu 1 , Zhifei

FraudVis : Understanding Unsupervised Fraud Detection Algorithms Jiao Sun 1 , Qixin Zhu 1 , Zhifei Liu 1 , Xin Liu 1 , Jihae Lee 1 , Lei Shi 2 , Zhigang Su 3 , Ling Huang 1 and Wei Xu 1 1 Institute of Interdisciplinary Information Sciences ,

288 views • 16 slides
Transition-Based Dependency Parsing with Stack Long Short-Term Memory Chris Dyer, Miguel

Transition-Based Dependency Parsing with Stack Long Short-Term Memory Chris Dyer, Miguel

Transition-Based Dependency Parsing with Stack Long Short-Term Memory Chris Dyer, Miguel Ballesteros, Wang Ling, Austin Matthews, Noah A. Smith Association for Computational Linguistics (ACL), 2015 Presented By: Lavisha Aggarwal (lavisha2)

253 views • 23 slides

More recommend