The Usage of Counter Revisited: Second-Preimage Attack on New - - PowerPoint PPT Presentation

the usage of counter revisited second preimage attack on
SMART_READER_LITE
LIVE PREVIEW

The Usage of Counter Revisited: Second-Preimage Attack on New - - PowerPoint PPT Presentation

Aug 16, 2023 425 likes •849 views

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jrmy Jean 1 joint work with: Jian Guo 1 Gatan Leurent 2 Thomas Peyrin 1 Lei Wang 1 1 Nanyang Technological University, Singapore 2 INRIA, France

slide-1
SLIDE 1

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Jérémy Jean1 joint work with: Jian Guo1 Gaëtan Leurent2 Thomas Peyrin1 Lei Wang1

1Nanyang Technological University, Singapore 2INRIA, France

SAC 2014 – August 14, 2014

slide-2
SLIDE 2

Introduction Our observation Diamond attack Expandable message attack Conclusion

Streebog: new Russian hash function.

◮ New hash function standard in Russia. ◮ Standardized name: GOST R 34.11-2012 ◮ Nickname of that function: Streebog. ◮ Previous standard: GOST R 34.11-94. ◮ Theoretical weaknesses. ◮ Rely on the GOST block cipher from the same standard. ◮ This block cipher has also been weakened by third-party cryptanalysis.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 2/19

slide-3
SLIDE 3

Introduction Our observation Diamond attack Expandable message attack Conclusion

Specifications: domain extension.

◮ Two versions: Streebog-256 and Streebog-512. ◮ 10∗ padding: m1|| · · · ||mt||m (blocks of 512 bits). ◮ Compression function: g. ◮ Checksum: Σ, over the message blocks mi (addition modulo 2512). ◮ Counter: N, HAIFA input to g over the number of processed bits. ◮ Three stages: initialization, message processing and finalization. g

m1 h0 = IV 512 N Σ h1

g

m2 512 . . . . . . h2 . . .

g

mt ht−1 512

g

m ht |M|

g

ht+1

g

ht+2 h Stage 1 Stage 2 Stage 3

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 3/19

slide-4
SLIDE 4

Introduction Our observation Diamond attack Expandable message attack Conclusion

Specifications: compression function.

◮ Simplification: the counter counts #blocks, not #bits. ◮ g compresses (hi−1, i, mi) to hi using: hi = f (hi−1 ⊕ i, mi) ⊕ hi−1. ◮ Our attack is independent of the specifications of f (deterministic).

i hi−1 mi hi f g

◮ g is one instantiation of a HAIFA compression function. ◮ The counter is simply XORed to the input of the f function.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 4/19

slide-5
SLIDE 5

Introduction Our observation Diamond attack Expandable message attack Conclusion

Equivalent compression function.

i hi−1 mi hi f hi =hi−1 ⊕ f (hi−1 ⊕ i, mi) ⇐ ⇒

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

slide-6
SLIDE 6

Introduction Our observation Diamond attack Expandable message attack Conclusion

Equivalent compression function.

i hi−1 mi hi f hi =hi−1 ⊕ f (hi−1 ⊕ i, mi) ⇐ ⇒ i hi−1 mi f

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

slide-7
SLIDE 7

Introduction Our observation Diamond attack Expandable message attack Conclusion

Equivalent compression function.

i hi−1 mi hi f hi =hi−1 ⊕ f (hi−1 ⊕ i, mi) ⇐ ⇒ i hi−1 mi f hi ⊕ i

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

slide-8
SLIDE 8

Introduction Our observation Diamond attack Expandable message attack Conclusion

Equivalent compression function.

i hi−1 mi hi f hi =hi−1 ⊕ f (hi−1 ⊕ i, mi) ⇐ ⇒ i hi−1 mi f i hi

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

slide-9
SLIDE 9

Introduction Our observation Diamond attack Expandable message attack Conclusion

Equivalent compression function.

i hi−1 mi hi f hi =hi−1 ⊕ f (hi−1 ⊕ i, mi) ⇐ ⇒

  • hi = F(hi−1 ⊕ i, mi) ⊕ i,

F(x, mi) = f (x, mi) ⊕ x. i hi−1 mi f i hi F The function F is independent of the counter value!

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

slide-10
SLIDE 10

Introduction Our observation Diamond attack Expandable message attack Conclusion

Iteration of the equivalent compression function.

◮ We have an equivalent representation of the compression function. ◮ Its iteration allows to combine the counter additions.

i i hi−1 mi f F i + 1 i + 1 mi+1 hi+1 f F

∆(i)

def

= i ⊕ (i + 1), F∆(i)(X, Y )

def

= F(X, Y ) ⊕ ∆(i).

∆(i)

F i i i + 1 hi−1 F∆(i)

∆(i+1)

F i + 1 i + 2 hi+1 F∆(i+1)

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 6/19

slide-11
SLIDE 11

Introduction Our observation Diamond attack Expandable message attack Conclusion

Relations between functions F∆(i) for 1 ≤ i ≤ t (1/2).

Recall that t is the number of full blocks m1|| · · · ||mt||m, |m| < 512. We observe that: ◮ For all even i, ∆(i) = i ⊕ (i + 1) = 1. = ⇒ The same function F1 is used every other time. ◮ Sequence of ∆(i) is very structured. i: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ∆(i): 1 3 1 7 1 3 1 15 1 3 1 7 1 3 1 31 1 3 1 7 1 3 1 15 Let s > 0, and denoting i the s-bit binary representation of i < 2s − 1: ∆(i + 2s) =

  • 1||i
  • 1||i + 1
  • = i ⊕ i + 1 = ∆(i).

More generally: F∆(i) = F∆(i+j·2s) for all 0 ≤ i ≤ 2s − 1 and j ≥ 0. For example, with s = 2, F1 and F1+22 = F5 are equal.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 7/19

slide-12
SLIDE 12

Introduction Our observation Diamond attack Expandable message attack Conclusion

Relations between functions F∆(i) for 1 ≤ i ≤ t (2/2).

Given an integer s > 0, we have: ∀i ∈ {0, . . . , 2s − 2}, ∀j > 0 : F∆(i) = F∆(j·2s+i)

512 − s bits s bits < i > < i + 1 > = < i ⊕ (i + 1) > ∆(i) 512 − s bits s bits j < i > j < i + 1 > = < i ⊕ (i + 1) > ∆(i + j · 2s)

Consequently: ◮ The same sequence of 2s − 1 functions are used in the domain extension algorithm. ◮ This seems weaker than a true HAIFA mode.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 8/19

slide-13
SLIDE 13

Introduction Our observation Diamond attack Expandable message attack Conclusion

Equivalent description of stage 2 of the domain extension.

◮ The last function differs in each 2s-chunk. = ⇒ We call it Gj = F∆(j×2s−1). ◮ We define l as the number of (2s − 1)-chains of F functions: l = t

2s

  • . Moreover, let p be the remainder of t modulo 2s.

◮ That is: the function F2s−2 ◦ · · · F1 ◦ F0 is reused l times. F0 F1 . . . F2s−2 G1 IV . . . . . . . . . . . . F0 F1 . . . F2s−2 Gl F0 F1 . . . Fp ht t + 1 F2s−2 ◦ · · · F1 ◦ F0

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 9/19

slide-14
SLIDE 14

Introduction Our observation Diamond attack Expandable message attack Conclusion

Cryptographic consequences of the HAIFA instantiation.

Streebog is one choice of counter usage from the HAIFA framework. Consequences of this choice: ◮ Counters at steps i and i + 1 can be combined. ◮ Distinction of compression function calls in the HAIFA framework not achieved. ◮ Domain extension similar to a Merkle-Damgård scheme. = ⇒ Possibility to apply existing known second-preimage attacks.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19

slide-15
SLIDE 15

Introduction Our observation Diamond attack Expandable message attack Conclusion

Cryptographic consequences of the HAIFA instantiation.

Streebog is one choice of counter usage from the HAIFA framework. Consequences of this choice: ◮ Counters at steps i and i + 1 can be combined. ◮ Distinction of compression function calls in the HAIFA framework not achieved. ◮ Domain extension similar to a Merkle-Damgård scheme. = ⇒ Possibility to apply existing known second-preimage attacks. Our second-preimage attacks on Streebog (security level: 2512): ◮ Using a diamond structure: ◮ Original message of at least 2179 blocks. ◮ 2342 compression function evaluations. ◮ Using a expandable message: ◮ Original message of at least 2259 blocks. ◮ 2266 compression function evaluations.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19

slide-16
SLIDE 16

Introduction Our observation Diamond attack Expandable message attack Conclusion

Diamond structure (1/2)

Diamond structure: ◮ Introduced in [KK06]. ◮ Complete binary tree. ◮ Nodes: chaining values. ◮ Edges: 1-block n-bit messages. ◮ Depth d. Construction: ◮ Levels constructed sequentially. ◮ Complexity: 2(n+d)/2 calls. ◮ Evaluation done in [KK13].

h⋄ h0 1 m0 1 h1 1 m1 1

22s−1

F2s −2 F2s −3◦···◦F1 F0

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 11/19

slide-17
SLIDE 17

Introduction Our observation Diamond attack Expandable message attack Conclusion

Diamond structure (2/2)

Diamond used in our attack: ◮ Root h⋄. ◮ Depth d = 2s − 1. ◮ Fi’s used to join the levels. ◮ #leaves=22s−1. Remarks: ◮ Same function at each level in the original attack on Merkle-Damgård. ◮ Here, full control of the counter effect in the (2s − 1)-chains with different functions Fi.

h⋄ h0 1 m0 1 h1 1 m1 1

22s−1

F2s −2 F2s −3◦···◦F1 F0

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 12/19

slide-18
SLIDE 18

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-19
SLIDE 19

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-20
SLIDE 20

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-21
SLIDE 21

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-22
SLIDE 22

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-23
SLIDE 23

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-24
SLIDE 24

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-25
SLIDE 25

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the diamond attack.

IV h G1 ◦ (F2s−2 ◦ · · · ◦ F0) G2 ◦ (F2s−2 ◦ · · · ◦ F0) F2s−2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 l′ × 2s t − l′ × 2s d = 2s − 1 1 1024 L 1 h⋄ 2d-diamond h′

L random blocks . . . ˜ h′ mր

IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construction of the diamond.
  • 2. Randomize mց

⋄ to hit h′ ⋄.

  • 3. Deduce the counter value N.
  • 4. Construct 2512-multicollision.
  • 5. Randomize L blocks to match |M|.
  • 6. Pick about 2n−d mր

⋄ to hit the diamond.

  • 7. Evaluate reduced checksum σ.
  • 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19

slide-26
SLIDE 26

Introduction Our observation Diamond attack Expandable message attack Conclusion

Complexity analysis of the diamond attack.

Time complexity T T = 2(n+d)/2 + 512 × 2n/2 + 2n−log2(l) + 2n−d, with: Construction of the diamond. Joux’s multicollision using 512 two-block messages. Connect the root of the diamond to the original message. Connect the multicollision to one leaf of the diamond. Minimize with: ◮ d = n/3 = 2s − 1 the depth of the diamond, i.e. s = ⌈log2(n/3)⌉. ◮ as long as l = t

2s

  • is l ≥ 2n/3, i.e. t ≥ ⌈2n/3+log2(n/3)⌉.

◮ For Streebog-512: T = 2342 for |M| ≥ 2179.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 14/19

slide-27
SLIDE 27

Introduction Our observation Diamond attack Expandable message attack Conclusion

Overview of the attack using an expandable message.

IV h Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 N 1 1024 L h∗ h′

m∗ expandable message: length L . . . IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construct the 2512-multicollision.
  • 2. Construct the expandable message.
  • 3. Randomize m∗ to hit h′

∗.

  • 4. Deduce the counter value.
  • 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 15/19

slide-28
SLIDE 28

Introduction Our observation Diamond attack Expandable message attack Conclusion

Complexity analysis.

Time complexity T T = 512 × 2n/2 + 256 × 2n/2 + 2n−l, with: Joux’s multicollision using 512 two-block messages. Construction of the expandable message. Connect the expandable message to the challenge (l = ⌊ t

2s ⌋).

Minimize with: ◮ l > 2n/2/n, i.e. more than 2259 blocks in the original message. ◮ T about n · 2n/2, i.e. 2266 CF evaluations (s = 11).

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 16/19

slide-29
SLIDE 29

Introduction Our observation Diamond attack Expandable message attack Conclusion

Comparison of the two attacks

179 259 512 266 342 512 Diamond Expandable message Shorter messages Number of blocks (log2). Time (log2).

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 17/19

slide-30
SLIDE 30

Introduction Our observation Diamond attack Expandable message attack Conclusion

Conclusion

◮ We study Streebog, the Russian hashing standard. ◮ The hash function instantiates the HAIFA framework. ◮ We propose an equivalent representation that hijack the counter effect of Streebog-512. ◮ Consequently, one can reuse previous second-preimage attack strategies: ◮ using a diamond structure, ◮ using an expandable message. ◮ The two attacks have time complexity T for message length > L: ◮ T = 2342 and L = 2179, ◮ T = 2266 and L = 2259.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 18/19

slide-31
SLIDE 31

Introduction Our observation Diamond attack Expandable message attack Conclusion

Conclusion

◮ We study Streebog, the Russian hashing standard. ◮ The hash function instantiates the HAIFA framework. ◮ We propose an equivalent representation that hijack the counter effect of Streebog-512. ◮ Consequently, one can reuse previous second-preimage attack strategies: ◮ using a diamond structure, ◮ using an expandable message. ◮ The two attacks have time complexity T for message length > L: ◮ T = 2342 and L = 2179, ◮ T = 2266 and L = 2259.

Thank you!

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 18/19

slide-32
SLIDE 32

Expandable message attack Bibliography

Expandable message

◮ Expandable messages due to [KS05] ◮ Multicollision with different lengths: ◮ t pairs with lengths (1, 2k + 1), 0 ≤ k < t. ◮ Set of 2t messages with length in [t, 2t + t − 1]. ◮ All reach the same final chaining value x∗. ◮ Construction of a message m of length t + L using the binary representation of L, that link IV to x∗. ◮ Second-preimage attack on MD: ◮ Link x∗ to original message using random blocks. ◮ This gives the length to use in the expandable message. ◮ HAIFA prevents using an expandable message with the counter input. IV 1 bl. 27 + 1 bl. m7/m′

7

1 bl. 26 + 1 bl. m6/m′

6

1 bl. 25 + 1 bl. m5/m′

5

1 bl. 24 + 1 bl. m4/m′

4

1 bl. 23 + 1 bl. m3/m′

3

1 bl. 22 + 1 bl. m2/m′

2

1 bl. 21 + 1 bl. m1/m′

1

x∗

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 19/19

slide-33
SLIDE 33

Expandable message attack Bibliography

Expandable messages in Streebog

◮ Here, the counter input is weak. ◮ We can still apply the expandable message technique: ◮ The functions F∆(i) are independent of the counter, ◮ but the inner calls are not the same (HAIFA, not MD). ◮ Small example: 4 messages from ˜ h to x2. ◮ Find (m′

3, m3) of lengths (1, 23 + 1) colliding on x3.

◮ Find (m′

2, m2) of lengths (1, 22 + 1) colliding on x2.

◮ The 4-message structure has lengths in {2, 6, 10, 14}. ˜ h

1 3 1 7 1 3 1 15 1 3 1 7 1 3 1

. . .

31

m′

3

m3 m′

2

m2 m′

2

m2 x3 x3 x2 x2 x2 x2

m′

3m′ 2

length: 2

m′

3m2

length: 6

m3m′

2

length: 10

m3m2

length: 14

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 20/19

slide-34
SLIDE 34

Expandable message attack Bibliography

Overview of the attack using an expandable message.

IV h Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 N 1 1024 L h∗ h′

m∗ expandable message: length L . . . IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construct the 2512-multicollision.
  • 2. Construct the expandable message.
  • 3. Randomize m∗ to hit h′

∗.

  • 4. Deduce the counter value.
  • 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19

slide-35
SLIDE 35

Expandable message attack Bibliography

Overview of the attack using an expandable message.

IV h Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 N 1 1024 L h∗ h′

m∗ expandable message: length L . . . IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construct the 2512-multicollision.
  • 2. Construct the expandable message.
  • 3. Randomize m∗ to hit h′

∗.

  • 4. Deduce the counter value.
  • 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19

slide-36
SLIDE 36

Expandable message attack Bibliography

Overview of the attack using an expandable message.

IV h Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 N 1 1024 L h∗ h′

m∗ expandable message: length L . . . IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construct the 2512-multicollision.
  • 2. Construct the expandable message.
  • 3. Randomize m∗ to hit h′

∗.

  • 4. Deduce the counter value.
  • 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19

slide-37
SLIDE 37

Expandable message attack Bibliography

Overview of the attack using an expandable message.

IV h Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 N 1 1024 L h∗ h′

m∗ expandable message: length L . . . IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construct the 2512-multicollision.
  • 2. Construct the expandable message.
  • 3. Randomize m∗ to hit h′

∗.

  • 4. Deduce the counter value.
  • 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19

slide-38
SLIDE 38

Expandable message attack Bibliography

Overview of the attack using an expandable message.

IV h Fp−1 ◦ · · · ◦ F0 |M| Σ 2s 2s . . . . . . p 1 1 N 1 1024 L h∗ h′

m∗ expandable message: length L . . . IV h0 h′ h1 h′

1

h511 h′

511

˜ h 20 21 2511

  • 1. Construct the 2512-multicollision.
  • 2. Construct the expandable message.
  • 3. Randomize m∗ to hit h′

∗.

  • 4. Deduce the counter value.
  • 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19

slide-39
SLIDE 39

Expandable message attack Bibliography

Complexity analysis.

Time complexity T T = 512 × 2n/2 + 256 × 2n/2 + 2n−l, with: Joux’s multicollision using 512 two-block messages. Construction of the expandable message. Connect the expandable message to the challenge (l = ⌊ t

2s ⌋).

Minimize with: ◮ l > 2n/2/n, i.e. more than 2259 blocks in the original message. ◮ T about n · 2n/2, i.e. 2266 CF evaluations (s = 11).

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 22/19

slide-40
SLIDE 40

Expandable message attack Bibliography

Bibliography I

John Kelsey and Tadayoshi Kohno. Herding hash functions and the Nostradamus attack. In Serge Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 183–200. Springer, May / June 2006. Tuomas Kortelainen and Juha Kortelainen. On diamond structures and trojan message attacks. In Kazue Sako and Palash Sarkar, editors, ASIACRYPT (2), volume 8270 of Lecture Notes in Computer Science, pages 524–539. Springer, 2013. John Kelsey and Bruce Schneier. Second preimages on n-bit hash functions for much less than 2n work. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 474–490. Springer, May 2005.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 19/19