whirlpool reduced to 7 rounds
play

Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , - PowerPoint PPT Presentation

Jan 15, 2023 •157 likes •412 views

Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3 1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories,

  1. Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3 1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories, Japan 3: Shandong University, China FSE 2014 (05/March/2014 ) Initially discussed at ASK 2013 at Weihai 1

  2. Research Summary • Improved key recovery attack on HMAC-Whirlpool • Convert MitM attacks on AES based ciphers into the known plaintext model. 2 482.3 for camera-ready version 2

  3. Whirlpool • AES based 512-bit hash function proposed by Barreto and Rijmen in 2000 • Standardised by ISO • Recommended by NESSIE • Implemented in many cryptographic libraries • Its usage in HMAC is also implemented. 3

  4. More Structure on Whirlpool • Narrow-pipe Merkle-Damgård iteration • Compression function is built by Miyaguchi- Preneel mode with an AES based block-cipher. M 0 M ℓ - 1 M i -1 512 CF CF tag H 0 H i -1 H i -1 E 512 512 512 512 (= IV ) H 1 H ℓ - 1 4

  5. HMAC • Proposed by Bellare et al. in 1996 with a proof of being PRF up to the birthday order queries. • Generating a MAC by two hash function calls K ⊕ ipad || M Hash Function IV K ⊕ opad || Hash Function tag IV 5

  6. HMAC in CF Level • Proposed by Bellare et al. in 1996 with a proof of being PRF up to the birthday order queries. • Generating a MAC by two hash function calls K ⊕ ipad M 0 m 1 ||pad I CF CF CF IV K in K ⊕ opad pad O CF CF CF tag Equivalent keys IV K out 6

  7. Initial Thoughts • Previous key recovery attack on HMAC- Whirlpool is up to 6 rounds. • At Eurocrypt 2013, Derbez et al. presented 7- round key recovery attack on AES with a MitM attack in the chosen-plaintext model. • Can we apply the MitM attack to 7-round HMAC-Whirlpool? • The application is not easy!! 7

  8. Overview • Collect many pairs of ( pt , ct ) and run the MitM attack. • K out is used as a key input of the AES-based cipher. It should be recovered by the MitM attack. K ⊕ ipad M 0 m 1 ||pad I CF CF CF IV K in K ⊕ opad pad O pt K out CF CF tag IV E v ct 8

  9. Difficulties of MitM Attack • In HMAC, the attacker only can observe tag value. 1. pt is unknown K ⊕ ipad M 0 m 1 ||pad I 2. pt is random CF CF CF IV K in K ⊕ opad pad O pt K out CF CF tag IV E v ct 3. v and ct are unknown 9

  10. Our Strategy for Difficulty 1 • In HMAC, the attacker only can observe tag value. 1. pt is unknown K ⊕ ipad M 0 m 1 ||pad I Internal state recovery 2. pt is random CF CF CF IV K in K ⊕ opad pad O pt [LPW-AC13]: internal K out CF CF state after a 1-block tag IV E v message is recovered ct with O (2 3n/4 ) complexity. 3. v and ct are unknown 10

  11. Our Strategy for Difficulty 3 • In HMAC, the attacker only can observe tag value. 1. pt is unknown K ⊕ ipad M 0 m 1 ||pad I Internal state recovery 2. pt is random CF CF CF IV K in K ⊕ opad pad O pt Generate 2 z pairs of K out CF CF ( v , tag ) in advance. tag IV E v With prob 2 -( n - z ) , a ct tag is converted to v . 3. v and ct are unknown Precompute look-up table 11

  12. MitM Attacks on AES Based Ciphers in Known Plaintext Model 12

  13. Whirlpool Internal Block-cipher • 8 × 8-byte state • 10 rounds, with the last MixRows operation • Similar operations between key and data const x Round x Key SB SC MR K out Data SB SC MR pt 13

  14. Notations: d -set and n - d -set For a byte-oriented cipher, a d -set is a set of 256 texts such that a byte takes all possible values among 256 texts ( A ctive ) and the other bytes take a fixed value ( C onstant ) among 256 texts. If n bytes are active, we call it n - d -set. d -set 12 - d -set used in our attack A A A C C C C C A C C C C C C C C C C C C C C C A A C C C C C A A C C C C C A A C C C C C C C C C C C C C C C C C C C C C A A A C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C 14

  15. Previous MitM Attack on AES (1/2) • 7R characteristic: 4 -> 1 -> 4 -> 16 -> 4 -> 1 -> 4 -> 16 𝐹 𝑛𝑗𝑒 𝐹 𝑞𝑠𝑓 𝐹 𝑞𝑝𝑡𝑢 • 4-round middle distinguisher u 1 u 2 k 3 k 4 #X #Y AK SR MC SR MC SB SB SB MC AK MC AK SR SR AK SB – Consider a function f which maps #X[0] to #Y[0]. The number of all possible such functions is 2 8*256 =2 2048 – For a pair of texts satisfying the characteristic, construct a d -set by modifying #X[0], ( d 0 , d 1 ,…, d 255 ). Then, { f ( d 0 ), f ( d 1 ),…, f ( d 255 )} can take only 2 80 possibilities. 16

  16. Previous MitM Attack on AES (2/2) • 7-round characteristic #X #Y 6R, middle 4 1R 7R rounds 2 80 possibilities Offline: precompute 2 80 possibilities of distinguishers. Online: collect pairs of plaintext and ciphertext satisfying the input and output differential forms. - For each pair, guess 𝑡𝑙 𝑞𝑠𝑓 and change plaintext so that a d -set is constructed at #X[0]. - For each modified plaintext, obtain the ciphertext. - Guess 𝑡𝑙 𝑞𝑝𝑡𝑢 and match precomputed distinguishers 17

  17. Is It Applicable to HMAC-Whirlpool? The answer is not obvious. • Chosen-plaintext v.s. Known-plaintext – Cannot efficiently collect plaintext pairs – After constructing d -set at #X[0], the corresponding ciphertext is obtained only probabilistically. (multi-set technique cannot be used) • 4*4 state size v.s. 8*8 state size – Larger state of Whirlpool is easier to analyze – (2 -468 for multiset technique is no longer enough) • Whirlpool key schedule is easier to analyze 18

  18. Our Strategy • Chosen-plaintext v.s. Known-plaintext – Cannot efficiently collect plaintext pairs Simply increasing the data amount. – After constructing d -set at #X, the corresponding ciphertext is obtained only probabilistically. (multi-set technique cannot be used) Use n - d -set instead of d -set  more elements are examined, and enough elements will remain 19

  19. MitM Attack on HMAC-Whirlpool (1/4) • 7R characteristic: 32 -> 12 -> 24 -> 64 -> 8 -> 1 -> 8 -> 64 𝐹 𝑛𝑗𝑒 𝐹 𝑞𝑠𝑓 𝐹 𝑞𝑝𝑡𝑢 • 4-round middle distinguisher u 0 u 1 u 2 k 3 k 4 k 5 #X #Y AK SR SR MC SB SB SB MC AK MC AK SR SR AK SB – Consider a function f which maps 12 bytes of #X to #Y[0]. The number of all such functions is so huge. – For a pair of texts satisfying the characteristic, construct a 12- d - set by modifying #X, ( d 0 , d 1 ,…, d 2^96-1 ). Then, { f ( d 0 ), f ( d 1 ),…, f ( d 2^96-1 )} takes 2 360 possibilities. 20

  20. MitM Attack on HMAC-Whirlpool (2/4) • 7-round characteristic #X #Y 6R, middle 4 1R 7R rounds 2 360 possibilities Offline: precompute 2 360 possibilities of distinguishers. Online: collect pairs of plaintext and ciphertext satisfying the input and output differential forms. - For each pair, guess 𝑡𝑙 𝑞𝑠𝑓 and change plaintext so that a 12- d -set is constructed at #X. !! - For each modified plaintext, obtain the ciphertext. - Guess 𝑡𝑙 𝑞𝑝𝑡𝑢 and match precomputed distinguishers 21

  21. MitM Attack on HMAC-Whirlpool (3/4) 1. Due to the known-plaintext model, only a part of 12- d -set can be obtained. 2. Due to the conversion from tag to ct , ct is obtained only probabilistically. can resolve by using more data 3. Cannot know which element of 12- d -set is obtained. Cannot sort the precomputation table. (match cost ≠ 1.) - For each pair, guess 𝑡𝑙 𝑞𝑠𝑓 and change plaintext so 1. that a 12- d -set is constructed at #X. 2. - For each modified plaintext, obtain the ciphertext. - Guess 𝑡𝑙 𝑞𝑝𝑡𝑢 and match precomputed distinguishers 3. 22

  22. MitM Attack on HMAC-Whirlpool (4/4) Key K out SB SB MC SR SR plaintext #X SB SB MC MC SB SR SR • Previous attack only recovers up to #X. 23

  23. MitM Attack on HMAC-Whirlpool (4/4) Key K out SB SB MC SR SR plaintext #X’ #X SB SB MC MC SB SR SR Guess 16 bytes • Previous attack only recovers up to #X. • In Whirlpool, we know more bytes. By guessing more bytes at #X’, we can recover all bytes which are index of 2 360 distinguisher. • The match is done for the sorted data. 24

  24. Remarks on Attacks • The best diff characteristic and the number of n - d -set were searched by programming. • An optimization technique for making conversion table from tag to v . • (Time, Mem, Data) = (2 490.3 , 2 481 , 2 481.3 ) 2 482.3 for camera-ready • K in recovery is easier because it is CPA, not KPA. pad I M 0 CF CF pad O K in CF CF tag K out 25

  25. Concluding Remarks • 7-round key recovery attack on HMAC-Whirlpool • Based on MitM attack on AES, but many different problems and many optimizations for HMAC and AES-based compression functions • Application to Sandwich-MAC still opens. – needs unknown plaintext recovery with different keys K H i -1 tag E Thank you !! 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied

556 views • 23 slides
WHIRLPOOL CORPORATION MAKING THE MOST OF MOMENTS THAT MATTER Whirlpool Corporation K12 - Mid

WHIRLPOOL CORPORATION MAKING THE MOST OF MOMENTS THAT MATTER Whirlpool Corporation K12 - Mid

WHIRLPOOL CORPORATION MAKING THE MOST OF MOMENTS THAT MATTER Whirlpool Corporation K12 - Mid term event OUR PURPOSE Time is the most valuable resource available. So we design in-home solutions that help make the most of every minute. Life is

445 views • 22 slides
2015 SECOND-QUARTER EARNINGS REVIEW JULY 22, 2015 Whirlpool Corporation WHIRLPOOL CORPORATION

2015 SECOND-QUARTER EARNINGS REVIEW JULY 22, 2015 Whirlpool Corporation WHIRLPOOL CORPORATION

2015 SECOND-QUARTER EARNINGS REVIEW JULY 22, 2015 Whirlpool Corporation WHIRLPOOL CORPORATION ADDITIONAL INFORMATION This Presentation contains forward-looking statements about Whirlpool Corporation and its consolidated subsidiaries

896 views • 51 slides
Beta Presentation Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown

Beta Presentation Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown

Beta Presentation Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown Jallal Elhazzat Zoe Hayes Gregory Richard Christian White Department of Computer Science and Engineering Michigan State University Fall 2015 From

335 views • 9 slides
Alpha Presentation Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown

Alpha Presentation Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown

Alpha Presentation Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown Jallal Elhazzat Zoe Hayes Gregory Richard Christian White Department of Computer Science and Engineering Michigan State University Fall 2015 From

330 views • 8 slides
Project Plan Mobile Whirlpool Product Catalog The Capstone Experience Team Whirlpool Can Gokcek

Project Plan Mobile Whirlpool Product Catalog The Capstone Experience Team Whirlpool Can Gokcek

Project Plan Mobile Whirlpool Product Catalog The Capstone Experience Team Whirlpool Can Gokcek Cam Merrill Jordan Mikkelsen Joseph Schoenherr Zhi Cheng Xu Department of Computer Science and Engineering Michigan State University Spring

117 views • 11 slides
Project Plan Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown Jallal

Project Plan Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown Jallal

Project Plan Whirlpool Indoor Maps The Capstone Experience Team Whirlpool Steph Brown Jallal Elhazzat Zoe Hayes Gregory Richard Christian White Department of Computer Science and Engineering Michigan State University Fall 2015 From

501 views • 14 slides
May 2017 Building an IoT-Driven Business: The Whirlpool Corporation Story Regina Salazar CIO,

May 2017 Building an IoT-Driven Business: The Whirlpool Corporation Story Regina Salazar CIO,

May 2017 Building an IoT-Driven Business: The Whirlpool Corporation Story Regina Salazar CIO, Global Product Organization March 2018 Whirlpool Corporation - Confidential 5.17.17 WHIRLPOOL CORPORATION: WHO WE ARE Leading Brands in Every

528 views • 14 slides
2014 THIRD-QUARTER EARNINGS REVIEW October 28, 2014 WHIRLPOOL CORPORATION ADDITIONAL

2014 THIRD-QUARTER EARNINGS REVIEW October 28, 2014 WHIRLPOOL CORPORATION ADDITIONAL

2014 THIRD-QUARTER EARNINGS REVIEW October 28, 2014 WHIRLPOOL CORPORATION ADDITIONAL INFORMATION This document contains forward-looking statements about Whirlpool Corporation and its consolidated subsidiaries (Whirlpool) that speak only

899 views • 45 slides
MONODOOR TRANSREGIONAL WHIRLPOOL MEA WHIRLPOOL CORPORATION CONFIDENTIAL 1 24 March 2016

MONODOOR TRANSREGIONAL WHIRLPOOL MEA WHIRLPOOL CORPORATION CONFIDENTIAL 1 24 March 2016

MONODOOR TRANSREGIONAL WHIRLPOOL MEA WHIRLPOOL CORPORATION CONFIDENTIAL 1 24 March 2016 PRESENTATION TITLE DIRECT COOL INDIA FARIDABAD WHIRLPOOL CORPORATION CONFIDENTIAL 2 24 March 2016 PRESENTATION TITLE BEST IN

723 views • 10 slides
2014 FIRST-QUARTER EARNINGS REVIEW April 25, 2014 WHIRLPOOL CORPORATION ADDITIONAL INFORMATION

2014 FIRST-QUARTER EARNINGS REVIEW April 25, 2014 WHIRLPOOL CORPORATION ADDITIONAL INFORMATION

2014 FIRST-QUARTER EARNINGS REVIEW April 25, 2014 WHIRLPOOL CORPORATION ADDITIONAL INFORMATION This document contains forward-looking statements about Whirlpool Corporation and its consolidated subsidiaries (Whirlpool) that speak only as

968 views • 43 slides
2017 INVESTOR MEETINGS FIRST-QUARTER Whirlpool Corporation - Confidential First-Quarter 2017

2017 INVESTOR MEETINGS FIRST-QUARTER Whirlpool Corporation - Confidential First-Quarter 2017

2017 INVESTOR MEETINGS FIRST-QUARTER Whirlpool Corporation - Confidential First-Quarter 2017 Investor Meetings WHIRLPOOL CORPORATION ADDITIONAL INFORMATION This presentation contains forward-looking statements about Whirlpool Corporation and

573 views • 23 slides
Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n

Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n

Polytron Lubrication Technology Based on Micro-Metallurgical Process Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n Reduced noise level n Reduced electrical power consumption n Considerable

630 views • 16 slides
Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers

Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers

Why One Test Triggered a 180 Turn in How All Whirlpool Brands Direct Market to Consumers Thomas s Mender Ben Benjamin Huppertz Sr. Manager, Database Marketing Sr. Research Manager Whirlpool MECLABS Session Speaker Thomas Mender

648 views • 51 slides
United States Court of Appeals for the Federal Circuit 2007-1088 WHIRLPOOL CORPORATION and

United States Court of Appeals for the Federal Circuit 2007-1088 WHIRLPOOL CORPORATION and

NOTE: This order is nonprecedential. United States Court of Appeals for the Federal Circuit 2007-1088 WHIRLPOOL CORPORATION and WHIRLPOOL PATENTS COMPANY, Plaintiffs-Appellants, v. LG ELECTRONICS, INC. and LG ELECTRONICS U.S.A., INC.,

74 views • 3 slides
1 Summary: Since the last progress report to the City Directors, Whirlpool has continued to build

1 Summary: Since the last progress report to the City Directors, Whirlpool has continued to build

On Tuesday, July 8, 2014, Jeff Noel, Vice President of Whirlpool Corporation, and Mike Ellis from ENVIRON, the environmental consulting firm responsible for implementing the Final Remedial Action Decision Document (RADD), attended the Fort Smith

383 views • 14 slides
Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway Department of Informatics, University of Bergen, Bergen, Norway Boolean

377 views • 16 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
DTTF/NB479: Dszquphsbqiz Day 5 Announcements: Please pass in Assignment 1 now. Assignment

DTTF/NB479: Dszquphsbqiz Day 5 Announcements: Please pass in Assignment 1 now. Assignment

DTTF/NB479: Dszquphsbqiz Day 5 Announcements: Please pass in Assignment 1 now. Assignment 2 posted (when due?) Questions? Roll Call Today: Vigenere ciphers Invented in 1553 by Bellaso, not Vigenere Q1-2 Vigenere Ciphers Idea: the

544 views • 13 slides
Joint Research Centre the European Commission's in-house science service Serving society

Joint Research Centre the European Commission's in-house science service Serving society

Joint Research Centre the European Commission's in-house science service Serving society Stimulating innovation Supporting legislation Improved Cryptanalysis of the DECT Standard Cipher Iwen Coisel, Ignacio Sanchez CHES 2015 Saint-Malo,

408 views • 27 slides
= x 1 x 2 x 3 MACs Success probability max (1/2 m , 1/2 k ) IV H 1 H 2 H 3 = h(x)

= x 1 x 2 x 3 MACs Success probability max (1/2 m , 1/2 k ) IV H 1 H 2 H 3 = h(x)

MAC Algorithms June 2013 Bart Preneel MAC algorithms MAC Algorithm Design and MAC Algorithm Design and Cryptanalysis: Basics Cryptanalysis: Basics Bart Preneel Bart Preneel KU Leuven - COSIC, Belgium KU Leuven - COSIC, Belgium

527 views • 6 slides
Game Theory and Strategy Introduction Levent Ko ckesen Ko c University Levent Ko

Game Theory and Strategy Introduction Levent Ko ckesen Ko c University Levent Ko

Game Theory and Strategy Introduction Levent Ko ckesen Ko c University Levent Ko ckesen (Ko c University) Introduction 1 / 10 Game Theory: Definition and Assumptions Game theory studies strategic interactions within a group of

232 views • 10 slides
Fair Secure Computation (or how can I gain strategic advantage by breaking fairness) Alptekin

Fair Secure Computation (or how can I gain strategic advantage by breaking fairness) Alptekin

Rump Session 2016 Fair Secure Computation (or how can I gain strategic advantage by breaking fairness) Alptekin Kp Ko University Fair Secure Computation ALPTEKN KP Assistant Professor of Computer Science and Engineering

429 views • 27 slides
Spectral Hash - sHash A SHA-3 Candidate G okay Saldaml Cevahir Demirkran Megan Maguire Carl

Spectral Hash - sHash A SHA-3 Candidate G okay Saldaml Cevahir Demirkran Megan Maguire Carl

Spectral Hash - sHash A SHA-3 Candidate G okay Saldaml Cevahir Demirkran Megan Maguire Carl Minden Jacob Topper Alex Troesch Cody Walker Cetin Kaya Koc University of California Santa Barbara CS@UCSB - Nov 12, 2008 Our Motivation

696 views • 17 slides

More recommend