The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl - - PowerPoint PPT Presentation

Technical University of Denmark - Graz University of Technology

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

Florian Mendel1, Christian Rechberger1, Martin Schl¨ affer 1, Søren S. Thomsen2

1Institute for Applied Information Processing and Communications (IAIK)

Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria

2Department of Mathematics, Technical University of Denmark

Matematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark

FSE 2009 1

Technical University of Denmark - Graz University of Technology

Overview

1

Motivation

2

The Rebound Attack

3

The Whirlpool Hash Function

4

Rebound Attack on Whirlpool

5

Rebound Attack on Grøstl

6

Results and Conclusions

FSE 2009 2

Technical University of Denmark - Graz University of Technology

Overview

1

Motivation

2

The Rebound Attack

3

The Whirlpool Hash Function

4

Rebound Attack on Whirlpool

5

Rebound Attack on Grøstl

6

Results and Conclusions

FSE 2009 3

Technical University of Denmark - Graz University of Technology

Motivation

NIST SHA-3 Competition

diversity of designs diversity of cryptanalytic tools needed

Many AES based designs

how to analyze them? we contribute with new attack to this toolbox

Applications?

idea of attack is widely applicable Whirlpool, Grøstl

FSE 2009 4

Technical University of Denmark - Graz University of Technology

Overview

1

Motivation

2

The Rebound Attack

3

The Whirlpool Hash Function

4

Rebound Attack on Whirlpool

5

Rebound Attack on Grøstl

6

Results and Conclusions

FSE 2009 5

Technical University of Denmark - Graz University of Technology

Collision Attacks on Hash Functions

iterated hash function h(M, IV)

compression function f: Ht = f(Mt, Ht−1), H0 = IV

different types of collision attacks:

(1) collision:

fixed IV f(Mt, IV) = f(M′

t , IV), Mt = M′ t

(2) semi-free-start collision:

random chaining input f(Mt, Ht−1) = f(M′

t , Ht−1), Mt = M′ t

(3) free-start collision:

random differences and values of chaining input f(Mt, Ht−1) = f(M′

t , H′ t−1), Mt = M′ t , Ht−1 = H′ t−1

⇒ increasing degrees of freedom

FSE 2009 6

Technical University of Denmark - Graz University of Technology

The Rebound Attack

Ein Efw Ebw inbound

• utbound
• utbound

Applies to block-cipher and permutation based designs: E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw Inbound phase:

efficient meet-in-the-middle phase in Ein aided by available degrees of freedom called match-in-the-middle

Outbound phase:

probabilistic part in Ebw and Efw repeat inbound phase if needed

FSE 2009 7

Technical University of Denmark - Graz University of Technology

Comparison with other Strategies

inside-out approach: meet-in-the-middle attack: rebound attack:

Mt ,Ht-1 Ht Mt ,Ht-1 Ht Mt ,Ht-1 Ht inbound

• utbound
• utbound

FSE 2009 8

Technical University of Denmark - Graz University of Technology

Overview

1

Motivation

2

The Rebound Attack

3

The Whirlpool Hash Function

4

Rebound Attack on Whirlpool

5

Rebound Attack on Grøstl

6

Results and Conclusions

FSE 2009 9

Technical University of Denmark - Graz University of Technology

The Whirlpool Hash Function

+

Block cipher W

Mt Ht-1 Ht

State Update SB SC MR AK Key Schedule SB SC MR AC

Designed by Barretto and Rijmen

submitted to NESSIE in 2000 standardized by ISO/IEC 10118-3:2003

512-bit hash value and using 512-bit message blocks Block-cipher based (AES)

Miyaguchi-Preneel mode with conservative key-schedule

No attacks in 8 years of existence

FSE 2009 10

Technical University of Denmark - Graz University of Technology

The Whirlpool Round Transformations

SubBytes ShiftColumns MixRows AddRoundKey Ki

S(x)

+ 10 rounds AES like round transformations on two 8 × 8 states ki = AC ◦ MR ◦ SC ◦ SB ri = AK ◦ MR ◦ SC ◦ SB

K0 K1 K2 K3 K4 K5 K6 K7 K8 K9 K10

Ht-1

S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10

Mt Ht

r1 r2 r3 r4 r5 r6 r7 r8 r9 r10

SB SC MR AK SB SC MR AC SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AC SB SC MR AK SB SC MR AC SB SC MR AK SB SC MR AC SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AK SB SC MR AC

+

SB SC MR AK SB SC MR AC

FSE 2009 11

Technical University of Denmark - Graz University of Technology

Wide-Trails in Whirlpool

K0 K1 K2 K3 K4 K5 K6 K7 K8 K9 K10

Ht-1

S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10

Mt Ht

r1 r2 r3 r4 r5 r6 r7 r8 r9 r10

SB SC MR AK SB SC MR AC SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AC SB SC MR AK SB SC MR AC SB SC MR AK SB SC MR AC SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AK SB SC MR AC

+

SB SC MR AK SB SC MR AC

Minimum number of active S-boxes

81 for any 4-round trail: (8 − 64 − 8 − 1) maximum differential probability: (2−5)

81 = 2−405

Collision attack on Whirlpool: < 2256

use “message modification” techniques (first rounds) a full active state remains: probability (2−5)

64 = 2−320

FSE 2009 12

Technical University of Denmark - Graz University of Technology

Overview

1

Motivation

2

The Rebound Attack

3

The Whirlpool Hash Function

4

Rebound Attack on Whirlpool

5

Rebound Attack on Grøstl

6

Results and Conclusions

FSE 2009 13

Technical University of Denmark - Graz University of Technology

The Rebound Attack on Whirlpool

K0 K1 K2 K3 K4

Ht-1

S0 S1 S2 S3 S4

Mt Ht

r1 r2 r3 r4

SB SC MR AK SB SC MR AC SB SC MR AK

+

SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC

inbound

• utbound
• utbound

SB SC MR AC

Inbound phase:

(1) start with differences in round r2 and r3 (2) match-in-the-middle at S-box using values of the state

Outbound phase:

(3) probabilistic propagation in MixRows of r1 and r4 (4) match one-byte difference of feed-forward

FSE 2009 14

Technical University of Denmark - Graz University of Technology

Inbound Phase

K2

S2

SC

S2 S3

SB

S3

MR

r2 r3 r3

Step 1 Step 2 Step 1

MR AK SB SC MR

(1) Start with differences in state SSC

2

and SMR

3

linear propagation to full active state of S2 and SSB

3

deterministic due to MDS property of MixRows

(2) Match-in-the-middle at S-box of round r3

differential match for single S-box: probability ∼ 2−1 for each match we get 2-8 possible values for the S-box

⇒ with a complexity of 264, we get 264 matches

FSE 2009 15

Technical University of Denmark - Graz University of Technology

Outbound Phase

K1 K2 K3 K4 S0 S1 S2 S3 S4

Mt Ht

r1 r2 r3 r4

Step 4 Step 3 Step 3 Step 4

SB SC MR AK SB SC MR AK

+

SB SC MR AK SB SC MR AK

(3) Propagate through MixRows of r1 and r4

using truncated differences (active bytes: 8 → 1) probability: 2−56 in each direction

(4) Match difference in one active byte of feed-forward ⇒ complexity for 4 round collision of Whirlpool: 2120

FSE 2009 16

Technical University of Denmark - Graz University of Technology

Extension to more Rounds

K2 K3 S2

SB

S2

MR

S2 S3

SB

S3 S4

SB

S4

MR

r2 r2 r3 r3 r4 r4

Step 1 Step 1 Step 2b Step 2a Step 2a Step 1

SC MR AK SB

SC MR

SC MR AK SB SC MR

Semi-free-start collision on 5 rounds

extend inbound phase using degrees of freedom in key same complexity (2120) as in 4 round attack

K1 K2 K3 K4 K5 K6 K7 S0 S1 S2 S3 S4 S5 S6 S7 S7.5

Ht Mt

r1 r2 r3 r4 r5 r6 r7 r7.5

Step 4 Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 3 Step 4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

+

SB SC

+

SB SC MR AK

Semi-free-start near-collision on 7.5 rounds

extend outbound phase with probability one (MixRows) near-collision on 52 of 64 bytes (2128)

FSE 2009 17

Technical University of Denmark - Graz University of Technology

Overview

1

Motivation

2

The Rebound Attack

3

The Whirlpool Hash Function

4

Rebound Attack on Whirlpool

5

Rebound Attack on Grøstl

6

Results and Conclusions

FSE 2009 18

Technical University of Denmark - Graz University of Technology

SHA-3 Candidate Grøstl

P512 AC SB ShB MB Q512 AC SB ShB MB

+

Mt Ht-1 Ht

+

Compression function of Grøstl

permutation based, no key-schedule inputs AES based round transformations (AC, SB, ShB, MB)

Grøstl-256: 8 × 8 state for P512 and Q512

8 × 8 state for P512 and Q512 10 rounds each

FSE 2009 19

Technical University of Denmark - Graz University of Technology

Rebound Attack on Grøstl-256

Q0 Q1 Q2 Q3 Q4 Q5 Q6

Mt Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 4 Step 4

P0 P1 P2 P3 P4 P5 P6

Ht-1 Ht

r1 r2 r3 r4 r5 r6 +

AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB AC SB ShB MB

+

AC SB ShB MB

Semi-free-start collision on 6 rounds of Grøstl-256

less degrees of freedom (no key schedule input) maximize using differential trails in both permutations birthday match on input and output differences

Complexity of attack: ∼ 2120

FSE 2009 20

Technical University of Denmark - Graz University of Technology

Overview

1

Motivation

2

The Rebound Attack

3

The Whirlpool Hash Function

4

Rebound Attack on Whirlpool

5

Rebound Attack on Grøstl

6

Results and Conclusions

FSE 2009 21

Technical University of Denmark - Graz University of Technology

Results

Summary of attacks:

hash rounds computational memory type function complexity requirements Whirlpool 4.5/10 2120 216 collision 5.5/10 2120 216 semi-free-start collision 7.5/10 2128 216 semi-free-start near-collision Grøstl-256 6/10 2120 270 semi-free-start collision

Improvements?

still degrees of freedom in key schedule left (Whirlpool) 8.5/10 rounds attack on Maelstrom1 (1024 bit key) 8.5/12 rounds of SHA-3 candidate Cheetah-512

1Gazzoni Filho, Barreto, Rijmen (SBSeg 2006) FSE 2009 22

Technical University of Denmark - Graz University of Technology

Conclusions

The Rebound Attack

inbound phase for expensive parts

• utbound phase for “cheaper” parts

Contribute to hash function cryptanalysis toolbox

improved analysis of AES based designs better attacks for more degrees of freedom simple designs allow simple analysis

Future work

apply to other design strategies analyze SHA-3 candidates give bounds for simple AES based designs

FSE 2009 23