Blue Midnight Wish - uni-weimar.de · Blue Midnight Wish Description and Cryptanalysis Dennis Hoppe Bauhaus-University Weimar 13th May 2009 Dennis Hoppe (BUW) Blue Midnight Wish 13th

Blue Midnight WishDescription and Cryptanalysis

Dennis Hoppe

Bauhaus-University Weimar

13th May 2009

Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 1 / 45

Agenda

1 Cryptographic Hash Algorithm Competition

2 Hashfunctions based on block ciphers

3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims

4 Cryptanalysis of Blue Midnight Wish

5 Conclusions


Agenda





5 Conclusions


Cryptographic Hash Algorithm Competition

NIST has opened a public competition to develop a newcryptographic hash algorithm, which converts a variablelength message into a short “message digest” that can beused for digital signatures, message authentication andother applications. The competition is NIST’s response torecent advances in the cryptanalysis of hash functions. Thenew hash algorithm will be called “SHA-3” [..]

Among the SHA-3 submissions is Blue Midnight Wish, a hashfunction based on a block cipher (Gligoroski et al., 2008)


Agenda





5 Conclusions


Hash functions based on block ciphers

Block ciphers

EK , DK : {0, 1}n → {0, 1}n

DK(EK(x)) = x, x ∈ {0, 1}nKey

Plaintext

Ciphertext

n-bit

k-bit

n-bit

E

Allow unique decryption, since the encryption function is one-to-one

Encryption function is a bijection, defining a permutation on n-bit

Each key K defines a different bijection


Hash functions based on block ciphers – cont’d

Block ciphers

Allow construction of hash functions, Hi = f(Xi, Hi−1)Motivation is minimization of design and implementation effort

Key K

Plaintext P

Ciphertext

E

Forward Feedback FF

C

P , K and FF can be chosen fromthe set {Xi, Hi−1, Xi ⊕Hi−1, V }43 = 64 different schemes



Secure schemes (Preneel et al., 1994)

Constructions of block ciphers to be used as building blocks in hashfunctions studied by means of a general model (64 schemes)

It is shown, that 12 of these schemes are secure

Nevertheless, in the general model, i.e. DES is used as the underlyingblock cipher, fixed points are possible for schemes 5 to 12

Name Function Expression Fixed pointsPGV1 E(Hi−1, Xi)⊕Xi -PGV2 E(Hi−1, Xi ⊕Hi−1)⊕Xi ⊕Hi−1 -PGV3 E(Hi−1, Xi)⊕Xi ⊕Hi−1 -

...PGV6 E(Xi, Xi ⊕Hi−1)⊕Xi ⊕Hi−1 Xi = K

Hi−1 = D(K, K)⊕K...


Agenda





5 Conclusions


Description of Blue Midnight Wish

Introduction

Cryptographich hash function with output size of n-bits

32-bit version supports n ∈ {224, 256}64-bit version supports n ∈ {384, 512}

Applies a Double Pipe Design (Lucks, 2004)

Using a block cipher of 16 rounds as part of the compression function

Based on low primitive operations

Bitwise exclusive-ORAddition/substraction modulo 232 or 264

Shift operations to the left/right, denoted by SHLl(x) and SHLr(x)Rotations to the left, denoted as ROTLl(x)


Description of Blue Midnight Wish – cont’d

Input: Message M of length l bits and the size n of the HashOutput: A Hash of the message M of size n bit

1 Preprocessing

(a) Pad the message M (MD-Strengthening)(b) Parse the padded message into N, 2n-bit blocks, M (1),. . ., M (N)

(c) Set the initial value of the douple pipe to H(0)

2 Hash computation

FOR i = 1 to N DO(a) Q

(i)a = f0(M (i), H(i−1))

(b) Q(i)b = f1(M

(i), Q(i)a )

(c) H(i) = f2(M (i), Q(i)a , Q

(i)b )

END

3 The resulting hash are the least significant

n-bits from H(N), i.e. (H(N)8 || . . . ||H(N)15 )



Wide-Pipe Strategy (Lucks, 2004)

f. . .

. . .

T

H (0) H (1)

M (0) M (1) M (N-1)

H (N-1) H (N)

H (N)8..15

0 f1 f2 f0 f1 f2 f0 f1 f2

Internal chaining values have a size independent of the final hash

“Widen” the internal pipe from n bit to w ≥ 2n bitUse two compression functions

It is unlikely to find local collisions

Input values for each compression function

H(i) ≡ (H(i)0 || . . . ||H(i)15 ), 16× w-bit

M (i) ≡ (M (i)0 || . . . ||M(i)15 ), 16× w-bit



Graphical Representation of Blue Midnight Wish

M (1)

H (0)Q (1)

f

f

0

1

f2

Pipe Extension Folding Pipe Extension

H (1)

M (2)

Q (2)f

f

0

1

. . .

Q(i) ≡ (Q(i)0 || . . . ||Q(i)31 ), 32× w-bit



Graphical Representation of the compression function

M (i)

H (i-1) Q (i)f0 Q (i) H (i)f1a b f2

Q(i)a ≡ (Q(i)0 || . . . ||Q

(i)15 )

Q(i)b ≡ (Q

(i)16 || . . . ||Q

(i)31 )

Q(i) ≡ (Q(i)a , Q(i)b )


Agenda





5 Conclusions


Design Properties of Blue Midnight Wish

Description of f0

f0 : {0, 1}4n → {0, 1}2n

f0(M (i), H(i−1)) = A2(A1(M (i) ⊕H(i−1))) = Q(i)a

Bijective transformation of M (i) ⊕H(i−1)

Produces the first half of the so-called “quadruple” pipe value Q(i)

Lemma (Excerpt from Lemma 6 in Gligoroski et al. (2008))

Every one bit difference in the vector M (i) or in the vector H(i−1) after

applying the function f0 diffuses into 5 words of the vector Q(i)a , and the

differences in those 5 words are minimum 1 or 2 bits difference, orminimum 3 or 4 bits difference.


Design Properties of Blue Midnight Wish – cont’d

Step 1 of the function f0, A1(M (i) ⊕H(i−1))Nonsingular matrix A1 of type (16,16), (ai,j) = {0, 1,−1}Matrix obtained by a (0, 1)-matrix A′1 by randomly negatesome values of “1”

The first row in A′1 is defined by the elements

(0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0)

Then, the product A′1 ×M (i) can be expressed as

A′1 = ROTR05(M (i)) + ROTR07(M (i))

+ ROTR10(M (i)) + ROTR13(M (i)) + ROTR14(M (i))



Step 1 of the function f0, A1(M (i) ⊕H(i−1))In other words we have

ROTR05(M (i)) = (M (i)11 , M(i)12 , . . . ,M

(i)9 , M

(i)10 )

ROTR07(M (i)) = (M (i)9 , M(i)10 , . . . ,M

(i)7 , M

(i)8 )

ROTR10(M (i)) = (M (i)6 , M(i)7 , . . . ,M

(i)4 , M

(i)5 )

ROTR13(M (i)) = (M (i)3 , M(i)4 , . . . ,M

(i)1 , M

(i)2 )

ROTR14(M (i)) = (M (i)2 , M(i)3 , . . . ,M

(i)0 , M

(i)1 )

and

A′1×M (i) = (M(i)11 +M

(i)12 + . . .+M

(i)9 +M

(i)10 +M

(i)9 +M

(i)10 + . . .+M

(i)1 )



Step 1 of the function f0, A1(M (i) ⊕H(i−1))

Lemma (Excerpt from Lemma 2 in Gligoroski et al. (2008))

The transformation A1 ×M (i) diffuses every one bit difference in thevector M (i) into at least 5 bit differences.



Step 2 of the function f0, A2(A1(M (i) ⊕H(i−1)))A2 : {0, 1}16w → {0, 1}16w

Permutation should diffuse an one-bit difference in each word of Q(i)a

into k-bit differences, k ≥ 2Mapping A2 is defined by six logic functions si, 0 ≤ i ≤ 5(a) s0, . . . , s3 diffuse one-bit difference into 3-bit or 4-bit difference(b) s4 and s5 diffuse one-bit difference into 1-bit or 2-bit difference

s0(x) = SHR1(x)⊕ SHL3(x)⊕ROTL4(x)⊕ROTL19(x)s1(x) = · · ·s2(x) = · · ·s3(x) = · · ·s4(x) = SHR1(x)⊕ xs5(x) = SHR2(x)⊕ x



Description of f1

f1 : {0, 1}4n → {0, 1}2n

f1(M (i), Q(i)a ) = Q

(i)b

Uses two types of expansion functions to generate Q(i)b from Q

(i)a

f1 is a multi-permutation depending on a security parameter P ≤ 16P defines the number of “complex” rounds. Consequently, thenumber of “simple” rounds is 16− P . Per default, P = 14 is chosen.

16-round block cipher f1



Description of f1

A complex round called expand1() computes Q(i) based onQ

(i)(j−1), Q

(i)(j−2), . . . , Q

(i)(j−16), 16 ≤ j < 16 + P as follows:

W(i)j−16 = M

(i)(j−16) mod 16 + M

(i)(j−13) mod 16 −M

(i)(j−6) mod 16

K(i)j−16 = const

Q(i)j = s1(Q

(i)(j−16)) + s2(Q

(i)(j−15)) + s3(Q

(i)(j−14)) + s0(Q

(i)(j−13))

+ . . . + s0(Q(i)(j−1)) + W

(i)j−16 + K

(i)j−16



Description of f1

A simple round called expand2() computes Q(i) based onQ

(i)(j−1), Q

(i)(j−2), . . . , Q

(i)(j−16), 16 + P ≤ j < 32 as follows:

W(i)j−16 = M

(i)(j−16) mod 16 + M

(i)(j−13) mod 16 −M

(i)(j−6) mod 16

K(i)j−16 = const

Q(i)j = Q

(i)(j−16) + r1(Q

(i)(j−15)) + Q

(i)(j−14) + r2(Q

(i)(j−13)) + . . .

+ r7(Q(i)(j−3)) + s5(Q

(i)(j−2)) + s4(Q

(i)(j−1)) + W

(i)j−16 + K

(i)j−16

Uses simple rotations ri, 1 ≤ i ≤ 7, instead the more complex logicfunctions si

E.g. r1(x) = ROTL3(x) or r7(x) = ROTL27(x)



Description of f2

f2 : {0, 1}6n → {0, 1}2n

Technically this is the true compression function

48 words, M (i) and Q(i), are compressed down to 16 words H(i)

Computation is based on two constants XL, XH and low primitiveoperations

XL = Q(i)16 ⊕Q(i)17 ⊕ . . .⊕Q

(i)23

XH = XL⊕Q(i)24 ⊕Q(i)25 ⊕ . . .⊕Q

(i)31



Description of f2


Agenda





5 Conclusions


Security Claims of Blue Midnight Wish

Cornerstones in the design of Blue Midnight Wish

Diffusion characteristics

Double pipe construction

Nonlinear expressions in the f2 function

Infeasability of finding collisions, preimages and second preimages

Design uses combinations of linear and nonlinear operations

f1 is a multi-permutation

Represent the overall design as a generalized PGV6 scheme

It is hard to change consistently all three inputs of f2 in such a way,that they will cancel out each other or lead to controllable changes


Security Claims of Blue Midnight Wish – cont’d

Generalized PGV6 scheme

PGV6 scheme: Hi = E(Mi, Mi ⊕Hi−1)⊕Mi ⊕Hi−1 (left)BMW scheme: Hi = f2(Mi, Hi−1, E(Mi, Mi ⊕Hi−1)) (right)

M

H

E

i-1

i

Hi

M

H

E

f

i-1

i

Hi

2



Generalized PGV6 scheme (Proof)

Hi = f2(Mi, Qa, Qb)(a) Qa describes the exclusive-OR part Mi ⊕Hi−1 due to the

definition Qa = f0(Mi, Hi−1) = A2(A1(Mi ⊕Hi−1))(b) Qb is defined as Qb = f1(Mi, Qa) = f1(Mi, f0(Mi, Hi−1)) and

Mi can be seen as a key to the block cipher:

f1(Mi,A2(A1(Mi ⊕Hi−1))) ≡ E(Mi, Mi ⊕Hi−1)

Thus, f2 combines all three components Mi, Hi−1 andE(Mi, Mi ⊕Hi−1)Blue Midnight Wish can be represented as a generalized PGV6scheme, such that

Hi = f2(Mi, Hi−1, E(Mi, Mi ⊕Hi−1))



Approximation of additions and subtractions with exclusive-OR iscomputationally to expensive

Find values for which additions and subtractions behave likeexclusive-ORs

One would have a completely linear system for which collisions,preimages and second preimages can easily be found

Getting all additions to behave as exclusive-ORs is hard

Computing the differential properties of addition modulo 2n for twovariables is feasable (Lipmaa and Moriai, 2001)Blue Midnight Wish uses a complex system of additions andsubtractions with more than just two variables. An algorithm to solvethese equations has exponential complexity, i.e. O(2b×k), where b isthe bit length of the variables, and k is the number of equations.(Paul and Preneel, 2005)



Differential cryptanalysis is infeasable

Strong diffusion characteristics

Two different expansion functions in f1 require different differentials

Heavily usage of permutations

Theorem (Excerpt from Theorem 2 in Gligoroski et al. (2008))

When Mi or Hi−1 is fixed, f0(Mi, Hi−1) is a bijection.When Mi, Qa or Qb is fixed, f1(Mi, Qa) is a bijection (multi-permutation).When Mi and Qb are fixed, f2(Mi, Qa, Qb) is a bijection.When Qa and Qb are fixed, f2(Mi, Qa, Qb) is a bijection.



Further security claims

Designers are not aware of any weaknesses regarding the securityparameter P , even if P = 16 or P = 0 is chosen.BMW can be securely used in combination with a HMAC

Resistance against generic length extension attacks and multicollisionattacks due to the Wide-Pipe Design


Agenda





5 Conclusions


Cryptanalysis of Blue Midnight Wish

Observations

The function f0(Mi, Hi−1) = Qa is easily invertibleGiven Mi and QaCompute Hi−1 = f−10 (Qa)⊕Mi

The function f1(Mi, Qb) = Qa is a multi-permutation, such thatGiven Qa and Qb =⇒Mi can be computedGiven Mi and Qb =⇒ Qa can be computed

Function f1 is a weak block cipher


Cryptanalysis of Blue Midnight Wish – cont’d

Function f1 is a weak block cipher

Applied block cipher f1 is distinguishable froman ideal random function

Monomial tests were used to evaluate the statisticalproperties of the cipher

An statistical measure is used to compute thedeviation from an ideal random Boolean function

It is shown, that the first word (32-bit/64-bit) is distinguishable (Q16)

Why is not the overall hash function weak?

Compensation by the double-pipe design

From Q17 on, all words in Qb are not distinguishable

Feedback function in the PGV6 scheme is a complex function, i.e. f2



Known vulnerabilities

A near-collision attack on the Blue Midnight Wishcompression function (Thomsen, 2008)

Cryptanalysis of Blue Midnight Wish (Thomsen, 2009)



A near-collision attack for the compression function

Since the chaining input H is only used in the input to thefunction f0, and here it is XORed with the message block Mbefore being used, it is easy to find collisions in f0: any pair of((H,M), (H ′, M ′)) of inputs of f0, such thatH ⊕M = H ′ ⊕M ′, collides. The output of f0 is used as theinput to both f1 and f2.

Idea: Cancel differences out in the sum of the three message words byflipping the most significant bit of the words Mi, 0 ≤ i ≤ 14. This hasthe effect, that for all i from 16 to 30 differences in the messagewords cancel out. Only a difference in Q31 remains.

H = 0, Mi = 0 with 0 ≤ i ≤ 14, and M15 = c1c2



A near-collision attack for the compression function

Results

256-bit output: only differencesfor 14 bit



Cryptanalysis of the compression function

Free-start collisions in O(23n8

+1)

Free-start (second) preimages in O(23n4

+1)

Idea: Fixing any input of the compression function f2to a certain value can simplify the computation within f2

Qb = 0Qa = 0 and Qb = 0

It [..] seems difficult to extend the pseudo-attacks to real attackson the hash function.



Fix Qi, 0 ≤ i ≤ 31 to a certain value to simplify the function f2Example: Qi = 0 for 16 ≤ i ≤ 32It follows, that XL = 0, XH = 0 and

H(i)0 = M

(i)0 + Q

(i)0

H(i)1 = M

(i)1 + Q

(i)1

...

H(i)8 = ROTL

9(H(i)4 ) + M(i)8 + Q

(i)8

...

H(i)15 = ROTL

16(H(i)3 ) + M(i)15 + Q

(i)15


Agenda





5 Conclusions


Conclusions

Blue Midnight Wish

Provides good diffusion characteristics

Uses a double pipe construction

Very fast hash computation

Some weaknesses in the compression function

Currently, only limited attacks


Conclusions

SHA-2 will soon retire,because NIST is learning and SHA-1 is burning.

SHA-2 will soon retire,no we didn’t light it but we tried to fight it.


Referenzen

[Gligoroski et al. 2008] Gligoroski, Danilo ; Klima, Vlastimil ; Knapskog, S ; El-Hadedy, Mohamed: Blue Midnight Wish.(2008).http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf

[Lipmaa and Moriai 2001] Lipmaa, H ; Moriai, S: Efficient Algorithms for Computing Differential Properties of Addition. In:Fast Software Encryption 2355 (2001), S. 336–350

[Lucks 2004] Lucks, Stefan: Design principles for iterated hash functions. In: IACR eprint archive (2004), Jan.http://mirror.cr.yp.to/eprint.iacr.org/2004/253.pdf

[Paul and Preneel 2005] Paul, Souradyuti ; Preneel, Bart: Solving Systems of Differential Equations of Addition. In: ACISP,2005, S. 75–88

[Preneel et al. 1994] Preneel, B ; Govaerts, R ; Vandewalle, J: Hash functions based on block ciphers: A syntheticapproach. In: LECTURE NOTES IN COMPUTER SCIENCE (1994), Jan.http://www.springerlink.com/index/adq9luqrkkxmgk03.pdf

[Thomsen 2008] Thomsen, SS: A near-collision attack on the Blue Midnight Wish compression function. (2008).http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf

[Thomsen 2009] Thomsen, SS: Pseudo-cryptanalysis of Blue Midnight Wish. (2009), Apr, 1–7.http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf


http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdfhttp://mirror.cr.yp.to/eprint.iacr.org/2004/253.pdfhttp://www.springerlink.com/index/adq9luqrkkxmgk03.pdfhttp://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdfhttp://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf

AgendaCryptographic Hash Algorithm CompetitionHashfunctions based on block ciphersBlue Midnight WishCryptanalysis of Blue Midnight WishConclusionsLiteratur

Documents

Blue Midnight Wish - uni-weimar.de · Blue Midnight Wish Description and Cryptanalysis Dennis Hoppe Bauhaus-University Weimar 13th May 2009 Dennis Hoppe (BUW) Blue Midnight Wish 13th