the usage of counter revisited second preimage attack on
play

The Usage of Counter Revisited: Second-Preimage Attack on New - PowerPoint PPT Presentation

Aug 16, 2023 •425 likes •847 views

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jrmy Jean 1 joint work with: Jian Guo 1 Gatan Leurent 2 Thomas Peyrin 1 Lei Wang 1 1 Nanyang Technological University, Singapore 2 INRIA, France

  1. The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jérémy Jean 1 joint work with: Jian Guo 1 Gaëtan Leurent 2 Thomas Peyrin 1 Lei Wang 1 1 Nanyang Technological University, Singapore 2 INRIA, France SAC 2014 – August 14, 2014

  2. Introduction Our observation Diamond attack Expandable message attack Conclusion Streebog : new Russian hash function. New hash function standard in Russia. ◮ Standardized name: GOST R 34.11-2012 ◮ Nickname of that function: Streebog . ◮ Previous standard: GOST R 34.11-94. ◮ Theoretical weaknesses. ◮ Rely on the GOST block cipher from the same standard. ◮ This block cipher has also been weakened by third-party ◮ cryptanalysis. SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 2/19

  3. Introduction Our observation Diamond attack Expandable message attack Conclusion Specifications: domain extension. Two versions: Streebog-256 and Streebog-512 . ◮ 10 ∗ padding: m 1 || · · · || m t || m (blocks of 512 bits). ◮ Compression function: g . ◮ Checksum: Σ , over the message blocks m i (addition modulo 2 512 ). ◮ Counter: N , HAIFA input to g over the number of processed bits. ◮ Three stages: initialization, message processing and finalization. ◮ . . . Σ m 1 m 2 m t m h t − 1 h t + 1 h t + 2 h 1 h 2 h t . . . h 0 = IV g g g g g g h . . . N | M | 512 512 512 0 0 Stage 1 Stage 2 Stage 3 SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 3/19

  4. Introduction Our observation Diamond attack Expandable message attack Conclusion Specifications: compression function. Simplification: the counter counts #blocks, not #bits. ◮ g compresses ( h i − 1 , i , m i ) to h i using: h i = f ( h i − 1 ⊕ i , m i ) ⊕ h i − 1 . ◮ Our attack is independent of the specifications of f (deterministic). ◮ m i i g h i − 1 h i f g is one instantiation of a HAIFA compression function. ◮ The counter is simply XORed to the input of the f function. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 4/19

  5. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  6. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ m i i h i − 1 f SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  7. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ m i i h i − 1 h i ⊕ i f SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  8. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ m i i i h i − 1 h i f SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  9. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f � h i = F ( h i − 1 ⊕ i , m i ) ⊕ i , h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ F ( x , m i ) = f ( x , m i ) ⊕ x . m i i i h i − 1 h i f F The function F is independent of the counter value! SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  10. Introduction Our observation Diamond attack Expandable message attack Conclusion Iteration of the equivalent compression function. We have an equivalent representation of the compression function. ◮ Its iteration allows to combine the counter additions. ◮ m i m i + 1 i + 1 i + 1 i i h i − 1 h i + 1 f f F F def ∆( i ) = i ⊕ ( i + 1 ) , def F ∆( i ) ( X , Y ) = F ( X , Y ) ⊕ ∆( i ) . i i i + 1 i + 1 i + 2 h i − 1 h i + 1 F F ∆( i ) ∆( i + 1 ) F ∆( i ) F ∆( i + 1 ) SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 6/19

  11. Introduction Our observation Diamond attack Expandable message attack Conclusion Relations between functions F ∆( i ) for 1 ≤ i ≤ t (1/2). Recall that t is the number of full blocks m 1 || · · · || m t || m , | m | < 512. We observe that: For all even i , ∆( i ) = i ⊕ ( i + 1 ) = 1. ◮ = ⇒ The same function F 1 is used every other time. Sequence of ∆( i ) is very structured. ◮ i : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ∆( i ) : 1 3 1 7 1 3 1 15 1 3 1 7 1 3 1 31 1 3 1 7 1 3 1 15 Let s > 0, and denoting � i � the s -bit binary representation of i < 2 s − 1: � � � � ∆( i + 2 s ) = 1 ||� i � ⊕ 1 ||� i + 1 � = � i � ⊕ � i + 1 � = ∆( i ) . More generally: F ∆( i ) = F ∆( i + j · 2 s ) for all 0 ≤ i ≤ 2 s − 1 and j ≥ 0. For example, with s = 2, F 1 and F 1 + 2 2 = F 5 are equal. SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 7/19

  12. Introduction Our observation Diamond attack Expandable message attack Conclusion Relations between functions F ∆( i ) for 1 ≤ i ≤ t (2/2). Given an integer s > 0, we have: ∀ i ∈ { 0 , . . . , 2 s − 2 } , ∀ j > 0 : F ∆( i ) = F ∆( j · 2 s + i ) 512 − s bits s bits 512 − s bits s bits 0 < i > j < i > 0 < i + 1 > j < i + 1 > = < i ⊕ ( i + 1 ) > = < i ⊕ ( i + 1 ) > 0 0 ∆( i ) ∆( i + j · 2 s ) Consequently: The same sequence of 2 s − 1 functions are used in the domain ◮ extension algorithm. This seems weaker than a true HAIFA mode. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 8/19

  13. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent description of stage 2 of the domain extension. The last function differs in each 2 s -chunk. ◮ = ⇒ We call it G j = F ∆( j × 2 s − 1 ) . We define l as the number of ( 2 s − 1 ) -chains of F functions: ◮ � t � . Moreover, let p be the remainder of t modulo 2 s . l = 2 s That is: the function F 2 s − 2 ◦ · · · F 1 ◦ F 0 is reused l times. ◮ 0 F 2 s − 2 ◦ · · · F 1 ◦ F 0 . . . F 2 s − 2 IV F 0 F 1 G 1 . . . . . . . . . . . . . . . F 0 F 1 F 2 s − 2 G l . . . F p F 0 F 1 h t t + 1 SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 9/19

  14. Introduction Our observation Diamond attack Expandable message attack Conclusion Cryptographic consequences of the HAIFA instantiation. Streebog is one choice of counter usage from the HAIFA framework. Consequences of this choice: Counters at steps i and i + 1 can be combined. ◮ Distinction of compression function calls in the HAIFA framework ◮ not achieved. Domain extension similar to a Merkle-Damgård scheme. ◮ = ⇒ Possibility to apply existing known second-preimage attacks. SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19

  15. Introduction Our observation Diamond attack Expandable message attack Conclusion Cryptographic consequences of the HAIFA instantiation. Streebog is one choice of counter usage from the HAIFA framework. Consequences of this choice: Counters at steps i and i + 1 can be combined. ◮ Distinction of compression function calls in the HAIFA framework ◮ not achieved. Domain extension similar to a Merkle-Damgård scheme. ◮ = ⇒ Possibility to apply existing known second-preimage attacks. Our second-preimage attacks on Streebog (security level: 2 512 ): Using a diamond structure: ◮ Original message of at least 2 179 blocks. ◮ 2 342 compression function evaluations. ◮ Using a expandable message: ◮ Original message of at least 2 259 blocks. ◮ 2 266 compression function evaluations. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19

  16. Introduction Our observation Diamond attack Expandable message attack Conclusion Diamond structure (1/2) Diamond structure: F 2 s − 3 ◦···◦ F 1 F 2 s − 2 F 0 Introduced in [KK06]. ◮ Complete binary tree. ◮ h 0 1 Nodes: chaining values. ◮ m 0 1 Edges: 1-block n -bit messages. ◮ 2 2 s − 1 h ⋄ Depth d . ◮ m 1 1 Construction: h 1 1 Levels constructed sequentially. ◮ Complexity: 2 ( n + d ) / 2 calls. ◮ Evaluation done in [KK13]. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 11/19

  17. Introduction Our observation Diamond attack Expandable message attack Conclusion Diamond structure (2/2) Diamond used in our attack: F 2 s − 3 ◦···◦ F 1 F 2 s − 2 F 0 Root h ⋄ . ◮ Depth d = 2 s − 1. ◮ h 0 1 F i ’s used to join the levels. ◮ m 0 1 #leaves=2 2 s − 1 . ◮ 2 2 s − 1 h ⋄ Remarks: m 1 1 Same function at each level in h 1 ◮ 1 the original attack on Merkle-Damgård. Here, full control of the counter ◮ effect in the ( 2 s − 1 ) -chains with different functions F i . SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 12/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute for

381 views • 26 slides
Below the Stomach 121 Counter Attack Lines close close Bearish Bullish Bearish Bullish 122

Below the Stomach 121 Counter Attack Lines close close Bearish Bullish Bearish Bullish 122

Below the Stomach 121 Counter Attack Lines close close Bearish Bullish Bearish Bullish 122 Not Counter Attack Lines Second session did not open high enough Both sessions were not long real bodies 123 Bullish Counter Attack 124

211 views • 20 slides
Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de

Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de

Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de February 8, 2013 Mangers Attack revisited Falko Strenzke 1 / 1 Mangers Attack RSA-OAEP Encoding introduced to thwart Bleichenbachers

1.11k views • 86 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk Introduction Basics of RC4 Stream

739 views • 38 slides
Office for Security &amp; Counter Terrorism Learning from the Skripal attack for CBRN

Office for Security &amp; Counter Terrorism Learning from the Skripal attack for CBRN

OFFICIAL-SENSITIVE Office for Security &amp; Counter Terrorism Learning from the Skripal attack for CBRN Preparedness. Presented by: Anita Friend Date: 24 th April 2019 OFFICIAL-SENSITIVE Reflections Skripal response The response was

510 views • 7 slides
Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&amp;Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&amp;Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&amp;Sec 09 Calibration Revisited 1 / 16 What is Calibration? 2002 - Calibration introduced (attack on F5) Part of feature extraction procedure for blind

544 views • 43 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
Fo Four on Embedded Device ces with Strong Co Counter ermea measures es Ag Against S t

Fo Four on Embedded Device ces with Strong Co Counter ermea measures es Ag Against S t

Fo Four on Embedded Device ces with Strong Co Counter ermea measures es Ag Against S t Side-Channel Attack cks CHES 2017 September 26-28, Taipei, Taiwan Zhe Liu Patrick Longa Geovandro C. C. F. Pereira Oscar Reparaz

853 views • 49 slides
8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim (cj@coe.psu.ac.th) 8051 Timer/Counter Two internal Timers/Counters 16-bit timer/counter Timer uses system clock as source of input pulses Counter uses external

273 views • 8 slides
T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz &lt;at&gt; signal11.eu www.signal11.eu Motivation Are we able to counteratack ? Different possibilities: Traditional network scan and attack

1.02k views • 52 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford University Joint work with: Yi Lu, Andrea Montanari , Sarang Dharmapurikar and Abdul Kabbani Overview Counter Braids Background: current

601 views • 30 slides
WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1 Outline Available options for securing WLAN access WEP and its key recovery attack Condition to recover the WEP key Good and bad strategies

378 views • 24 slides
Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle attack Diffie-Hellman Alice Bob new na new nb g na g nb K = (g nb ) na K = (g na ) nb Man-in-the-middle attack Diffie-Hellman Alice Bob Alice

401 views • 25 slides
Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and Ext, Revisited Hom and Ext, Revisited Joint work with Hailong Dao and Mohammad Eghbali JL Hom and Ext, Revisited Hom

871 views • 45 slides
SPM and Data Sharing Guillaume Flandin Wellcome Trust Centre for Neuroimaging University College

SPM and Data Sharing Guillaume Flandin Wellcome Trust Centre for Neuroimaging University College

SPM and Data Sharing Guillaume Flandin Wellcome Trust Centre for Neuroimaging University College London Brainhack Warwick, 3 rd March 2017 Reproducible Research An article about computational science in a scientific publication is not the

590 views • 32 slides
The use of DRG for identifying clinical trials centres with high recruitment potential: a

The use of DRG for identifying clinical trials centres with high recruitment potential: a

The use of DRG for identifying clinical trials centres with high recruitment potential: a feasability study Philippe Aegerter 1,2 , Noelle Bendersky 2 , Thi-Chien Tran 1,2 , Jacques Ropers 2 , Namik Taright 3 and Gilles Chatellier 4 1. Univ.

349 views • 15 slides
The RDM Forecasting matrix Javier Estrada Rather trivial to calculate IESE Business

The RDM Forecasting matrix Javier Estrada Rather trivial to calculate IESE Business

Application 2: Forecasting &amp; Downside Risk Javier Estrada ADFIN Winter/2014 1. Forecasting Back to the RDM D/P, P/E, and CAPE The Fed model 2. Downside Risk Calculation of semideviations Further thoughts on VaR The RDM

599 views • 12 slides
W e l c o m e Annual General Meeting P r a i s e R e p o r t u o y k n a h T

W e l c o m e Annual General Meeting P r a i s e R e p o r t u o y k n a h T

W e l c o m e Annual General Meeting P r a i s e R e p o r t u o y k n a h T Thanksgiving Acknowledgement of Pastors, Staff &amp; every Member Presentation of EN Johannesburg consolidated financial reports, work &amp; activities of

833 views • 47 slides
Napoleon Bonaparte (1769 - 1821) &quot;On Judgement Day, before God's throne, There stood at

Napoleon Bonaparte (1769 - 1821) &quot;On Judgement Day, before God's throne, There stood at

Napoleon Bonaparte (1769 - 1821) &quot;On Judgement Day, before God's throne, There stood at last Napoleon, The Devil had his list-begun Of crime the Bonaparte had done. When God the Father, or God the Son Cut Satan short, before Gods throne!

794 views • 19 slides
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of Computer Science, Technion Israel Institute of Technology Joint work with Eli Biham Cryptoday 2011 p. 1/52 Talk Outline Definition and properties

963 views • 95 slides
Incremental Physical Design Jason Cong UCLA Majid Sarrafzadeh Northwestern Jason Cong C ISPD

Incremental Physical Design Jason Cong UCLA Majid Sarrafzadeh Northwestern Jason Cong C ISPD

Incremental Physical Design Jason Cong UCLA Majid Sarrafzadeh Northwestern Jason Cong C ISPD 2000: April 10-12 Majid Sarrafzadeh 1 Outline PART I: Introduction &amp; Motivation PART II: Partitioning, Floorplanning, and Placemenet

708 views • 43 slides
Outline Computer Security: Hashing Hashes Hash applications Bart Jacobs Road pricing example

Outline Computer Security: Hashing Hashes Hash applications Bart Jacobs Road pricing example

Hashes Hashes Road pricing example Road pricing example Radboud University Nijmegen Radboud University Nijmegen Hashing in Java Hashing in Java Outline Computer Security: Hashing Hashes Hash applications Bart Jacobs Road pricing example

110 views • 7 slides

More recommend