the rebound attack cryptanalysis of reduced whirlpool and
play

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl - PowerPoint PPT Presentation

Jul 09, 2023 •321 likes •556 views

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied

  1. Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl¨ affer 1 , Søren S. Thomsen 2 1 Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria 2 Department of Mathematics, Technical University of Denmark Matematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark FSE 2009 1

  2. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 2

  3. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 3

  4. Technical University of Denmark - Graz University of Technology Motivation NIST SHA-3 Competition diversity of designs diversity of cryptanalytic tools needed Many AES based designs how to analyze them? we contribute with new attack to this toolbox Applications? idea of attack is widely applicable Whirlpool, Grøstl FSE 2009 4

  5. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 5

  6. Technical University of Denmark - Graz University of Technology Collision Attacks on Hash Functions iterated hash function h ( M , IV ) compression function f : H t = f ( M t , H t − 1 ) , H 0 = IV different types of collision attacks: (1) collision: fixed IV f ( M t , IV ) = f ( M ′ t , IV ) , M t � = M ′ t (2) semi-free-start collision: random chaining input f ( M t , H t − 1 ) = f ( M ′ t , H t − 1 ) , M t � = M ′ t (3) free-start collision: random differences and values of chaining input f ( M t , H t − 1 ) = f ( M ′ t , H ′ t − 1 ) , M t � = M ′ t , H t − 1 � = H ′ t − 1 ⇒ increasing degrees of freedom FSE 2009 6

  7. Technical University of Denmark - Graz University of Technology The Rebound Attack E bw E in E fw inbound outbound outbound Applies to block-cipher and permutation based designs: E = E fw ◦ E in ◦ E bw P = P fw ◦ P in ◦ P bw Inbound phase: efficient meet-in-the-middle phase in E in aided by available degrees of freedom called match-in-the-middle Outbound phase: probabilistic part in E bw and E fw repeat inbound phase if needed FSE 2009 7

  8. Technical University of Denmark - Graz University of Technology Comparison with other Strategies M t ,H t-1 H t inside-out approach: M t ,H t-1 H t meet-in-the-middle attack: rebound attack: M t ,H t-1 H t inbound outbound outbound FSE 2009 8

  9. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 9

  10. Technical University of Denmark - Graz University of Technology The Whirlpool Hash Function H t-1 Block cipher W Key Schedule SB SC MR AC H t State Update SB SC MR AK + M t Designed by Barretto and Rijmen submitted to NESSIE in 2000 standardized by ISO/IEC 10118-3:2003 512-bit hash value and using 512-bit message blocks Block-cipher based (AES) Miyaguchi-Preneel mode with conservative key-schedule No attacks in 8 years of existence FSE 2009 10

  11. Technical University of Denmark - Graz University of Technology The Whirlpool Round Transformations SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + 10 rounds AES like round transformations on two 8 × 8 states k i = AC ◦ MR ◦ SC ◦ SB r i = AK ◦ MR ◦ SC ◦ SB K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 SB SB SB SB SB SB SB SB SB SB SC SC SC SC SC SC SC SC SC SC H t-1 MR MR MR MR MR MR MR MR MR MR AC AC AC AC AC AC AC AC AC AC S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 SB SB SB SB SB SB SB SB SB SB M t H t SC SC SC SC SC SC SC SC SC SC + MR MR MR MR MR MR MR MR MR MR AK AK AK AK AK AK AK AK AK AK r 1 r 2 r 3 r 4 r 5 r 6 r 7 r 8 r 9 r 10 FSE 2009 11

  12. Technical University of Denmark - Graz University of Technology Wide-Trails in Whirlpool K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 SB SB SB SB SB SB SB SB SB SB SC SC SC SC SC SC SC SC SC SC H t-1 MR MR MR MR MR MR MR MR MR MR AC AC AC AC AC AC AC AC AC AC S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 M t SB SB SB SB SB SB SB SB SB SB H t SC SC SC SC SC SC SC SC SC SC + MR MR MR MR MR MR MR MR MR MR AK AK AK AK AK AK AK AK AK AK r 1 r 2 r 3 r 4 r 5 r 6 r 7 r 8 r 9 r 10 Minimum number of active S-boxes 81 for any 4-round trail: (8 − 64 − 8 − 1) 81 = 2 − 405 maximum differential probability: ( 2 − 5 ) Collision attack on Whirlpool: < 2 256 use “message modification” techniques (first rounds) 64 = 2 − 320 a full active state remains: probability ( 2 − 5 ) FSE 2009 12

  13. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 13

  14. Technical University of Denmark - Graz University of Technology The Rebound Attack on Whirlpool K 0 K 1 K 2 K 3 K 4 SB SB SB SB SC SC SC SC MR MR MR MR H t-1 AC AC AC AC S 0 S 1 S 2 S 3 S 4 SB SB SB SB M t H t SC SC SC SC + MR MR MR MR AK AK AK AK r 1 r 2 r 3 r 4 inbound outbound outbound Inbound phase: (1) start with differences in round r 2 and r 3 (2) match-in-the-middle at S-box using values of the state Outbound phase: (3) probabilistic propagation in MixRows of r 1 and r 4 (4) match one-byte difference of feed-forward FSE 2009 14

  15. Technical University of Denmark - Graz University of Technology Inbound Phase K 2 S 2 S 2 S 3 S 3 SC SB MR MR SC SB AK MR r 2 r 3 r 3 Step 1 Step 2 Step 1 (1) Start with differences in state S SC and S MR 3 2 linear propagation to full active state of S 2 and S SB 3 deterministic due to MDS property of MixRows (2) Match-in-the-middle at S-box of round r 3 differential match for single S-box: probability ∼ 2 − 1 for each match we get 2-8 possible values for the S-box ⇒ with a complexity of 2 64 , we get 2 64 matches FSE 2009 15

  16. Technical University of Denmark - Graz University of Technology Outbound Phase K 1 K 2 K 3 K 4 S 0 S 1 S 2 S 3 S 4 SB SB SB SB M t H t SC SC SC SC + MR MR MR MR AK AK AK AK r 1 r 2 r 3 r 4 Step 3 Step 3 Step 4 Step 4 (3) Propagate through MixRows of r 1 and r 4 using truncated differences (active bytes: 8 → 1) probability: 2 − 56 in each direction (4) Match difference in one active byte of feed-forward ⇒ complexity for 4 round collision of Whirlpool: 2 120 FSE 2009 16

  17. Technical University of Denmark - Graz University of Technology Extension to more Rounds K 2 K 3 S 2 SB S 2 MR S 2 S 3 SB S 3 S 4 SB S 4 MR SC SC SC SC AK SB MR SB MR MR MR AK r 2 r 2 r 3 r 3 r 4 r 4 Step 1 Step 1 Step 2b Step 2a Step 2a Step 1 Semi-free-start collision on 5 rounds extend inbound phase using degrees of freedom in key same complexity (2 120 ) as in 4 round attack K 1 K 2 K 3 K 4 K 5 K 6 K 7 S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 7.5 H t SB SB SB SB SB SB SB M t SC SC SC SC SC SC SC SB + + MR MR MR MR MR MR MR SC AK AK AK AK AK AK AK r 1 r 2 r 3 r 4 r 5 r 6 r 7 r 7.5 Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 3 Step 4 Step 4 Semi-free-start near-collision on 7.5 rounds extend outbound phase with probability one (MixRows) near-collision on 52 of 64 bytes (2 128 ) FSE 2009 17

  18. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 18

  19. Technical University of Denmark - Graz University of Technology SHA-3 Candidate Grøstl M t Q 512 AC SB ShB MB H t-1 H t P 512 AC SB ShB MB + + Compression function of Grøstl permutation based, no key-schedule inputs AES based round transformations (AC, SB, ShB, MB) Grøstl-256: 8 × 8 state for P 512 and Q 512 8 × 8 state for P 512 and Q 512 10 rounds each FSE 2009 19

  20. Technical University of Denmark - Graz University of Technology Rebound Attack on Grøstl-256 Q 0 Q 1 Q 2 Q 3 Q 4 Q 5 Q 6 AC AC AC AC AC AC M t SB SB SB SB SB SB ShB ShB ShB ShB ShB ShB MB MB MB MB MB MB Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 4 Step 4 P 0 P 1 P 2 P 3 P 4 P 5 P 6 AC AC AC AC AC AC H t-1 H t SB SB SB SB SB SB + + ShB ShB ShB ShB ShB ShB MB MB MB MB MB MB r 1 r 2 r 3 r 4 r 5 r 6 Semi-free-start collision on 6 rounds of Grøstl-256 less degrees of freedom (no key schedule input) maximize using differential trails in both permutations birthday match on input and output differences Complexity of attack: ∼ 2 120 FSE 2009 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

1.01k views • 72 slides
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

562 views • 35 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1 Outline Backgrounds Specification Previous Analysis Slidex Attack Application Multicollision Application

744 views • 42 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3 1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories,

412 views • 25 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

783 views • 46 slides
Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

945 views • 51 slides
Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Py SPP attack Improving on the attack Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py SPP attack Improving on the attack Py eSTREAM entrant by Eli Biham and Jennifer Seberry Fast in

870 views • 38 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa Anas Tschichold Go Goal: No Rebound! after an efficiency improvement to produce one unit, price will not decrease and therefore demand will

786 views • 39 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Current Conditions &amp; Outlook in Credit Markets A Tale of Three Periods Dr. Edward Altman

Current Conditions &amp; Outlook in Credit Markets A Tale of Three Periods Dr. Edward Altman

Current Conditions &amp; Outlook in Credit Markets A Tale of Three Periods Dr. Edward Altman NYU Stern School of Business Distressed Assets Symposium University of Toronto Faculty of Law Toronto, Canada March 03, 2010 1 YTM Spread Betw

415 views • 29 slides
Machin ine Learnin ing Basic ics I2DL: Prof. Niessner, Prof. Leal-Taix 1 Machin ine Learn

Machin ine Learnin ing Basic ics I2DL: Prof. Niessner, Prof. Leal-Taix 1 Machin ine Learn

Machin ine Learnin ing Basic ics I2DL: Prof. Niessner, Prof. Leal-Taix 1 Machin ine Learn rning Task I2DL: Prof. Niessner, Prof. Leal-Taix 2 Im Image Cla lassific ication I2DL: Prof. Niessner, Prof. Leal-Taix 3 Appearance

936 views • 90 slides
Information Session Housekeeping and Objectives Housekeeping Evacuation, toilets, smoking,

Information Session Housekeeping and Objectives Housekeeping Evacuation, toilets, smoking,

Information Session Housekeeping and Objectives Housekeeping Evacuation, toilets, smoking, mobile phones Objectives Focus on key aspects and requirements of legislations Message from the Minister Creating jobs for Western Australians

424 views • 26 slides
Exploring Digital Readiness in Rural Community General Practice Professor Suzanne Robinson

Exploring Digital Readiness in Rural Community General Practice Professor Suzanne Robinson

Exploring Digital Readiness in Rural Community General Practice Professor Suzanne Robinson Curtin University November 2018 This project has been commissioned by WA Primary Health Alliance through funding provided by the Australian Government

587 views • 29 slides
STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

mjos@item.ntnu.no STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O. Saarinen Norwegian University of Science and Technology Directions in Authentication Ciphers '14 24 August 2014, Santa Barbara USA 1

220 views • 19 slides
Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers

Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers

Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers Thomas s Mender Ben Benjamin Huppertz Sr. Manager, Database Marketing Sr. Research Manager Whirlpool MECLABS Session Speaker Thomas Mender

648 views • 51 slides
CS 188: Artificial Intelligence Hidden Markov Models Instructors: Pieter Abbeel and Dan Klein ---

CS 188: Artificial Intelligence Hidden Markov Models Instructors: Pieter Abbeel and Dan Klein ---

CS 188: Artificial Intelligence Hidden Markov Models Instructors: Pieter Abbeel and Dan Klein --- University of California, Berkeley [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188

739 views • 22 slides
Algorithmic Analysis of Polygonal Hybrid Systems G ERARDO S CHNEIDER V ERIMAG G RENOBLE

Algorithmic Analysis of Polygonal Hybrid Systems G ERARDO S CHNEIDER V ERIMAG G RENOBLE

Algorithmic Analysis of Polygonal Hybrid Systems G ERARDO S CHNEIDER V ERIMAG G RENOBLE Algorithmic Analysis of Polygonal Hybrid Systems p.1/66 Hybrid Systems Hybrid Systems: interaction between discrete and continuous behaviors

1.72k views • 147 slides

More recommend