Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , - PowerPoint PPT Presentation

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fédérale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University, Singapore 21 March 2012 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 1 / 35

Introduction The SHA-3 Competition • Most standardized hash functions suffer from attacks • NIST launched a SHA-3 competition • December 2010: five finalists selected: BLAKE , Grøstl , JH , K ECCAK , Skein • None of them is broken yet → Important to perform cryptanalysis on them • We focus on K ECCAK (designed by Bertoni, Daemen, Peeters and Van Assche) Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 2 / 35

Introduction Outline Introduction 1 K ECCAK 2 Differential Path Search 3 The Rebound Attack 4 Results and Further Work 5 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 3 / 35

Introduction Our Goals • Hard to find collision or preimage attacks • We look for differential distinguishers • on reduced-round versions of the internal permutation used in K ECCAK (K ECCAK - f ) • The Sponge proof relies on the fact that the internal permutation is ideal Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 4 / 35

Introduction Previous Work Previous Cryptanalysis Results on K ECCAK So far, the results on K ECCAK are the following: • J.-P. Aumasson and W. Meier (2009) : Zero-sum distinguishers up to 16 rounds of K ECCAK - f [ 1600 ] . • P. Morawiecki and M. Srebrny (2010) : Preimage attack using SAT solvers on up to 3 rounds of K ECCAK . • D. J. Bernstein (2010) : A second-preimage attack on 8 rounds with high complexity. • C. Boura et al. (2010-2011) : Zero-sum partitions distinguishers to the full 24-round version of K ECCAK - f [ 1600 ] . • M. Naya-Plasencia et al. (2011) : Practical attacks on a small number of rounds. Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 5 / 35

K ECCAK Outline Introduction 1 K ECCAK 2 Differential Path Search 3 The Rebound Attack 4 Results and Further Work 5 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 6 / 35

K ECCAK Sponge Functions The Sponge Construction absorbing phase squeezing phase z 0 z 1 m 0 m 1 m i rate r ⊕ ⊕ ⊕ 0 . . . . . . f f f f capacity c 0 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 7 / 35

K ECCAK K ECCAK - f The K ECCAK - f State • The b bit K ECCAK - f state: a 5 × 5 × 2 ℓ bit array • 7 versions of K ECCAK - f : ℓ = 0 , . . . , 6 named K ECCAK - f [ b ] Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 8 / 35

K ECCAK K ECCAK - f The K ECCAK - f Internal Permutation • b -bit K ECCAK round permutation R r applied on n r rounds • n r = 12 + 2 ℓ • 24 rounds for K ECCAK - f [ 1600 ] • R r is divided into 5 substeps • R r = ι r ◦ χ ◦ π ◦ ρ ◦ θ Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 9 / 35

K ECCAK K ECCAK - f The θ Permutation R r = ι r ◦ χ ◦ π ◦ ρ ◦ θ The θ permutation Linear mapping that provides a high level of diffusion 4 4 � � a [ x ][ y ][ z ] ← a [ x ][ y ][ z ] + a [ x − 1 ][ i ][ z ] + a [ x + 1 ][ i ][ z − 1 ] . i = 0 i = 0 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 10 / 35

K ECCAK K ECCAK - f The ρ Permutation R r = ι r ◦ χ ◦ π ◦ ρ ◦ θ The ρ permutation Linear mapping that provides inter-slice diffusion. Each lane is rotated by a constant depending on x and y Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 11 / 35

K ECCAK K ECCAK - f The π Permutation R r = ι r ◦ χ ◦ π ◦ ρ ◦ θ The π permutation Rotation within a slice. Breaks column alignment. � � � � � � x 0 1 x ′ Bit at position ( x ′ , y ′ ) is moved to = . y ′ y 2 3 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 12 / 35

K ECCAK K ECCAK - f The χ Permutation R r = ι r ◦ χ ◦ π ◦ ρ ◦ θ The χ permutation Only non-linear layer s = 5 × 2 ℓ Sboxes (one per row) a [ x ] ← a [ x ] + (( ¬ a [ x + 1 ]) ∧ a [ x + 2 ]) Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 13 / 35

K ECCAK K ECCAK - f The ι r Permutation R r = ι r ◦ χ ◦ π ◦ ρ ◦ θ • Depends on the round number • Addition of round constants to the first lane a [ 0 ][ 0 ][ . ] • Breaks the symmetry of the rounds • For differential cryptanalysis we ignore it Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 14 / 35

K ECCAK K ECCAK - f Summary • We have one linear layer → λ := π ◦ ρ ◦ θ • One non-linear layer χ • One round constant layer that we ignore ι r Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 15 / 35

Differential Path Search Outline Introduction 1 K ECCAK 2 Differential Path Search 3 The Rebound Attack 4 Results and Further Work 5 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 16 / 35

Differential Path Search Useful Properties Diffusion in K ECCAK • Diffusion comes mostly from θ • π and ρ move bits around • χ has a very slow diffusion Diffusion of θ (at most 11 new active bits) Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 17 / 35

Differential Path Search Useful Properties Diffusion in K ECCAK • Diffusion comes mostly from θ • π and ρ move bits around • χ has a very slow diffusion Diffusion of θ − 1 (half of the bits are active in average) Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 17 / 35

Differential Path Search Useful Properties The Column-Parity Kernel 4 4 � � θ : a [ x ][ y ][ z ] ← a [ x ][ y ][ z ] + a [ x − 1 ][ i ][ z ] + a [ x + 1 ][ i ][ z − 1 ] . i = 0 i = 0 Even number of active bits in every column → no diffusion through θ We call the set of such states the column-parity kernel (CPK) Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 18 / 35

Differential Path Search Our Algorithm Path Search Algorithm λ − 1 χ − 1 χ χ λ λ λ ← − − b 0 ← − − a 1 − → b 1 − → a 2 − → b 2 − → a 3 − → b 3 · · · a 0 • We start with random state in the CPK with ≤ k active columns • We compute forward taking random “best” slice transition • By “best”, we mean a transition that maximizes the number of columns with even parity and with lowest Hamming weight • If path has best DP : one round backwards Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 19 / 35

Differential Path Search Our Algorithm Differential paths results on K ECCAK best differential path probability b 1 rd 2 rds 3 rds 2 − 2 (2) 2 − 8 2 − 24 400 (4 - 4) (8 - 8 - 8) 2 − 2 (2) 2 − 8 2 − 32 800 (4 - 4) (4 - 4 - 24) 2 − 2 (2) 2 − 8 2 − 32 1600 (4 - 4) (4 - 4 - 24) best differential path probability b 4 rds 5 rds 2 − 84 2 − 216 400 (16 - 14 - 12 - 42) (16 - 32 - 40 - 32 - 96) 2 − 109 2 − 432 800 (12 - 12 - 12 - 73) (32 - 64 - 80 - 64 - 192) 2 − 142 2 − 709 1600 (12 - 12 - 12 - 106) (16 - 16 - 16 - 114 - 547) • Three round paths with 2 − 32 are best we can hope (see next talk) • Path with 2 − 709 was independently improved by M. Naya-Plasencia et al. to 2 − 510 . Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 20 / 35

Differential Path Search Building Simple Distinguishers Simple Distinguishers Easy distinguisher: fixed input/output difference Generic complexity Mapping a fixed input/output difference: 2 b ∆ in ∆ out Differential path Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 21 / 35

Differential Path Search Building Simple Distinguishers Simple Distinguishers One free round: choose value for each of the Sboxes → Use freedom degrees Generic complexity Mapping a fixed input/output difference: 2 b ∆ out ∆ out ′ ∆ in Free Differential path round Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 21 / 35

Differential Path Search Building Simple Distinguishers Simple Distinguishers Map a set of input differences to a set of output differences: Generic complexity Limited birthday distinguisher (Gilbert and Peyrin): � � 2 b �� � � 2 b / Γ in , 2 b / Γ out max min , Γ in × Γ out ∆ out ∆ out ′ ∆ in Free Γ in Γ out Differential path round Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 21 / 35

The Rebound Attack Outline Introduction 1 K ECCAK 2 Differential Path Search 3 The Rebound Attack 4 Results and Further Work 5 Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 22 / 35

The Rebound Attack The Original Rebound Attack The Rebound Attack • Proposed first by Mendel et al. in 2009. • We divide the rounds into three parts nr B rounds nr I rounds nr F rounds Backward Inbound Forward Duc, Guo, Peyrin, Wei (EPFL, I 2 R, NTU) Unaligned Rebound Attack 21.03.2012 23 / 35