Differential Cryptanalysis of Hash Functions: How to find ... · Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers)Attacks on MD-family

Institute for Applied Information Processing and Communications (IAIK)

Differential Cryptanalysis of Hash Functions:How to find Collisions?

Martin Schlaffer

Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology, Austria

[email protected]

Albena 2011

Albena Hash Function Cryptanalysis I 1


Outline

1 Motivation

2 Collision Attacks

3 Differential Cryptanalysis of Hash FunctionsApplication to SHA-1

4 The Rebound AttackApplication to WhirlpoolApplication to Grøstl

5 Conclusion



Outline

1 Motivation

2 Collision Attacks



5 Conclusion



Motivation

Cryptanalysis of block ciphers: well understoodCryptanalysis of hash functions: not so much

hash functions were attacked like block ciphers

⇒ Attacks on MD-family by Wang et al. broke SHA-1

NIST SHA-3 competitionto find a successor of SHA-1to focus research on hash function cryptanalysis



Cryptographic Hash Function

m

h

h(m)

Hash function h maps arbitrary length input m to n-bit output h(m)

Collision Resistance (2n/2)find m,m′ with m 6= m′ and h(m) = h(m′)

Second-Preimage Resistance (2n)given m, h(m) find m′ with m 6= m′ and h(m) = h(m′)

Preimage Resistance (2n)given h(m) find m



Iterated Hash Function Construction

IV f

M1

wf

M2

wf

M3

wf

Mt

wg H(m)

n

Most hash functions use some kind of iterationcompression function foutput transformation gchaining value size w ≥ n

Strength depends on f , g, wsmaller w needs stronger f

Also building blocks are analyzed



Outline

1 Motivation

2 Collision Attacks



5 Conclusion



Collision Attacks

m

h

h(m)

m∗

h

h(m∗)=

6=

Find two different messages which result in the same hashvalue:

m 6= m∗ with h(m) = h(m∗)

birthday effect applies: 2n/2



Collision Attacks (Differential View)

m

h

h(m)

m∗

h

h(m∗)−

− ∆m 6= 0

h

∆h(m) = 0=

=

Find two different messages which result in the same hash

m,∆m with ∆m 6= 0 and ∆h(m) = 0

Usually XOR differences are used:∆m = m ⊕m∗ and ∆h(m) = h(m)⊕ h(m∗)



Outline

1 Motivation

2 Collision Attacks



5 Conclusion



Differential Characteristic

∆m 6= 0

h

?

∆h(m) = 0

how to find m, ∆m?

find differential characteristic (trail, path)determines ∆mholds with high probability P

if P > 2−n/2:find colliding mby trying 1/P random messageswith complexity < 2n/2

⇒ how to improve complexity of attack?

⇒ how to find good differential characteristics?



Differential Characteristic

∆m 6= 0

h

?

∆h(m) = 0

how to find m, ∆m?

find differential characteristic (trail, path)determines ∆mholds with high probability P

if P > 2−n/2:find colliding mby trying 1/P random messageswith complexity < 2n/2

⇒ how to improve complexity of attack?

⇒ how to find good differential characteristics?



How to Improve Complexity of Attack?

∆m 6= 0

h

∆h(m) = 0

Good characteristic for block ciphers:optimizes probability

Good characteristic for hash functionsoptimizes probabilityminimizes effort to find m

How to find m?no secret key involvedwe can choose m according to characteristicresulting equations in first steps are easy(only a small part of the message involved)reduced costs at input of characteristic

⇒ characteristic with lower probability at input to gethigher probability towards end



How to Improve Complexity of Attack?

∆m 6= 0

h

∆h(m) = 0

Good characteristic for block ciphers:optimizes probability

Good characteristic for hash functionsoptimizes probabilityminimizes effort to find m

How to find m?no secret key involvedwe can choose m according to characteristicresulting equations in first steps are easy(only a small part of the message involved)reduced costs at input of characteristic

⇒ characteristic with lower probability at input to gethigher probability towards end



How to Find Good Differential Characteristics?

block cipher based design:use characteristic of block cipher attack(also related key characteristics)

by hand:MD4, MD5, SHA-1 (Wang et al.)

(semi-) automatic tools:linearize hash function (coding tools)non-linear differential search

by design:well known best characteristics



Example: SHA-1

high probability in second part (L)linearize hash function [RO05]search for linear differential characteristicusing low weight code search

connect with IV in first part (NL)low probabilitysearch for non-linear characteristic[WYY05, DR06]

message modificationeasy for first 16 steps (just invert equation)also possible for more steps (≤ 25)(advanced message modification)



Finding Linear Characteristics

Message expansion is linearLinearize modular addition by XOR

no carry with probability 1/2Linearize Boolean function by XOR

holds with probability ∼ 1/2Probabilities are given for single bit differences



Finding Linear Characteristics

Differences with low Hamming weight result in goodprobabilityFinding good linear characteristic corresponds to findinglow-weight code word in linear codeGood representation of hash function is importantOpen source tool to find low weight code words:http://www.iaik.tugraz.at/content/research/

krypto/codingtool/


http://www.iaik.tugraz.at/content/research/krypto/codingtool/

http://www.iaik.tugraz.at/content/research/krypto/codingtool/


Finding Non-Linear Characteristics [DR06]

Using generalized conditions




Determine message differenceand difference after step 16

using linear tool

Find propagation of differencesusing non-linear tool

Add conditions to control diff.no probability needed here

Find conforming message pairmessage mod. until step 25probabilistic for further steps





using linear tool








using linear tool








using linear tool






Message Modification

To improve complexity of attack in first few stepsup to 25 in the case of SHA-1

Many dedicated techniques have been published:advanced message modifications [WYY05]equation solving [SKPI07]neutral bits [BC04]boomerang/tunnels [JP07, Kli06]greedy approach [DMR07]

Resulting theoretical complexity for SHA-1: ∼ 263 [WYY05]

implementation overhead!



Outline

1 Motivation

2 Collision Attacks



5 Conclusion



The Rebound Attack [MRST09]

One more tool in the cryptanalysis of hash functionsInvented during the cryptanalysis of Whirlpool and Grøstl

AES-based designs allow a simple application of the ideaRelated work:

truncated differentialsinside-out techniquesmeet-in-the-middle techniquesmessage modification...

Has been applied to a wide range of hash functionsEcho, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister,Whirlpool, ...



The Rebound Attack

Ebw Ein Efw

inboundoutbound outbound

Applies to block-cipher and permutation based designs:

E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw

Inbound phaseefficient meet-in-the-middle phase in Einaided by available degrees of freedom

Outbound phaseprobabilistic part in Ebw and Efwrepeat inbound phase if needed



The Whirlpool Hash Function

Designed by Barretto and Rijmen in 2000 [BR00]evaluated by NESSIEstandardized by ISO/IEC 10118-3:2003

Iterative hash function based on the Merkle-Damgarddesign principle

message block, chaining values, hash size: 512 bit

IV f

M1

f

M2

f

M3

f

Mt

H(m)



The Whirlpool Compression Function

Mj

Hj−1

Hjstate update

SB SC MR AK

key scheduleSB SC MR AC

512-bit hash value and using 512-bit message blocksBlock-cipher based design (AES)

Miyaguchi-Preneel mode with conservative key schedule



The Whirlpool Round Transformations

The state update and the key schedule update an 8× 8state S and K of 64 bytes10 rounds eachAES like round transformation

ri = AK ◦MR ◦ SC ◦ SB

SubBytes ShiftColumns MixRows AddRoundKeyKi

S(x)

+



Collision Attack on Whirlpool

Hj−1

Hjstate update

SB SC MR AK


Mj

∆Mj

1-block collision:fixed Hj−1 (to IV )f (Mj ,Hj−1) = f (M∗

j ,Hj−1), Mj 6= M∗j



Collision Attack on Whirlpool

Hj−1

Hjstate update

SB SC MR AK


Mj

∆Mj

1-block collision:fixed Hj−1 (to IV )f (Mj ,Hj−1) = f (M∗

j ,Hj−1), Mj 6= M∗j



Collision Attack on 4 Rounds

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC

SBSCMRAC

SBSCMRAC

S0 S1 S2 S3 S4

K0 K1 K2 K3 K4

M1

IV

H1

Differential trail with minimum number of active S-boxes81 for any 4-round trail (1→ 8→ 64→ 8)maximum differential probability: (2−5)81 = 2−405

How to find a message pair following the differential trail?




SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC

SBSCMRAC

SBSCMRAC

S0 S1 S2 S3 S4

K0 K1 K2 K3 K4

M1

IV

H1

constant






SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC

SBSCMRAC

SBSCMRAC

S0 S1 S2 S3 S4

K0 K1 K2 K3 K4

M1

IV

H1

constant





First: Use Truncated Differences

S0 S1 S2 S3 S4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

M1 H1

byte-wise truncated differences: active / not activewe do not mind about actual differencessingle active byte at input and output is enoughprobabilistic in MixRows: 2−56 for 8→ 1

we can remove many restrictions (more freedom)hopefully less complexity of message search



How to Find a Message Pair?

S0 S1 S2 S3 S4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

M1 H1

message modification?

inside out?meet in the middle?rebound!




S0 S1 S2 S3 S4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

M1 H1

message modification?inside out?

meet in the middle?rebound!




S0 S1 S2 S3 S4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

M1 H1

message modification?inside out?meet in the middle?

rebound!




S0 S1 S2 S3 S4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

M1 H1

message modification?inside out?meet in the middle?rebound!



Rebound Attack on 4 Rounds [MRST09]

S0 S1 S2 S3 S4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

M1 H1

outbound phase inbound phase outbound phase

Inbound phase(1) start with differences in round 2 and 3(2) match-in-the-middle at S-box using values of the state

Outbound phase(3) probabilistic propagation in MixRows in round 1 and 4(4) match one-byte difference of feed-forward



Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

?

SSC2 S2 SSB

3 SMR3

MRAK SB SC

MR

get values

(1) Start with arbitrary differences in state SMR3

linearly propagate all differences backward to SSB3

linearly propagate row-wise forward from SSC2 to S2

(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−xx we get 2xx solutions for each row

we get ∼ 264 right pairs with complexity ∼ 28



Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

?

SSC2 S2 SSB

3 SMR3

MRAK SB SC

MR

differences

get values








Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

?

SSC2 S2 SSB

3 SMR3

MRAK SB SC

MR

differencesdifferences

get values








Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

?

SSC2 S2 SSB

3 SMR3

MRAK SB SC

MR

differencesdifferences match differences

get valuesget values








Difference Distribution Table (Whirlpool)

in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 001 0 6 2 0 0 6 2 0 0 0 4 0 0 0 0 002 0 0 0 0 0 0 0 2 0 0 0 0 4 0 0 003 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 204 0 0 2 2 0 4 0 0 0 2 2 2 2 0 2 005 0 0 0 0 0 2 0 2 0 0 0 0 0 0 4 206 . 4 0 2 0 0 2 0 0 2 6 2 4 0 2 2 0 .07 . 0 2 2 0 0 2 0 0 4 0 2 0 2 0 2 0 .08 . 0 0 0 0 2 2 2 0 0 0 0 2 2 4 4 0 .09 8 0 0 0 2 4 2 2 0 0 0 0 0 2 0 20a 0 0 0 0 2 0 2 0 2 0 2 0 0 0 0 00b 8 2 2 2 2 0 0 0 0 2 2 2 2 2 0 40c 0 2 2 0 0 0 0 4 0 2 2 0 0 2 4 20d 0 2 2 0 0 2 4 4 0 0 2 2 0 0 0 20e 4 0 4 2 0 0 0 0 2 0 2 0 4 2 0 00f 0 2 0 0 0 2 0 0 0 0 0 0 2 0 2 2

. . .



Match-in-the-Middle for Single S-box

Sbox∆a ∆b

Check for matching input/output differencesUsing Difference Distribution Table (DDT)

Sbox(x)⊕ Sbox(x ⊕∆a) = ∆b

Solve equation for all x and count the number of solutions:25880/65025 entries (with ∆a,∆b 6= 0) in DDT are nonzeromatch with probability 0.398we get either 2, 4, 6 or 8 values65280 values for 25880 possible differentials2.522 values (right pairs) on average



Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

?

SSC2 S2 SSB

3 SMR3

MRAK SB SC

MR

differencesdifferences

get values




(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)

with probability 2−10.6 we get 210.7 solutions for each row⇒ we get ∼ 28·10.7 right pairs with complexity < 216



Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

?

SSC2 S2 SSB

3 SMR3

MRAK SB SC

MR






(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−10.6 we get 210.7 solutions for each row

⇒ we get ∼ 28·10.7 right pairs with complexity < 216



Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

?

SSC2 S2 SSB

3 SMR3

MRAK SB SC

MR






(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−10.6 we get 210.7 solutions for each row

⇒ we get ∼ 28·10.7 right pairs with complexity < 216



Outbound Phase

S0 S1 S2 S3 S4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

outbound

2−56

inbound

average 1

outbound

2−56

(3) Propagate through MixRows of round 1 and round 4using truncated differences (active bytes: 8→ 1)probability: 2−56 in each direction

(4) Match difference in one active byte of feed-forward (2−8)

⇒ collision for 4 rounds of Whirlpool with complexity 2120



Extending the Attack to 5 Rounds [LMR+09]

S0 S1 S2 S3 S4 S5

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

outbound

2−56

inbound

average 1

outbound

2−56

By adding one round in the inbound phase of the attack wecan extend the attack to 5 roundsThe outbound phase is identical to the attack on 4 rounds

probability: 2−120

⇒ Construct 2120 starting points in the inbound phase withaverage complexity 1



Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

matchSSC

2 S2 SSB3 SMR

3

MRAKSC

SBMRAKSB

SCMR

differences

264 differences

differences match differences

(1) Start with arbitrary differences in state SMR3 and SSB

3

we need to propagate all 264 differences backward at once

(2) Match-in-the-middle at SuperBox (SB−MR− AK− SB)similar to 64-bit S-box (DDT has size 2128)

time-memory trade-off with time/memory 264

⇒ with complexity 264 we get at least 264 pairs



Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

matchSSC

2 S2 SSB3 SMR

3

MRAKSC

SBMRAKSB

SCMR

differences

264 differences264 differences


264 values/differences


3we need to propagate all 264 differences backward at once

(2) Match-in-the-middle at SuperBox (SB−MR− AK− SB)similar to 64-bit S-box (DDT has size 2128)time-memory trade-off with time/memory 264




Inbound Phase

3a

c0

e6

b9

5a

8c

08

c0

e8

85

0d

a2

b1

f8

16

4d

f4

50cc

b1

60

ed

27

34

90cc

01

63

20

85

51

96

d4

6d

0a

11

f4

b7

43

90

75

9a

70

96

1e

43

15

f1

1b

49

43

1e

cd

5a

de

f8

5e

43

e9

4d

bf

d5

2b

07

cd

c5

27

04

10

fc

f8

5e

ee eeee9fee2371c1cd

match

SSC2 S2 SSB

3 SMR3

MRAKSC

SBMRAKSB

SCMR

differences

264 differences264 differences


264 values/differences


3we need to propagate all 264 differences backward at once

(2) Match-in-the-middle at SuperBox (SB−MR− AK− SB)similar to 64-bit S-box (DDT has size 2128)time-memory trade-off with time/memory 264




From Collisions to Near-Collisions

S0 S1 S2 S3 S4 S5 S6 S7ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

1 2−56 average 1 2−56 1

Add one round at input and outputno additional complexityMixRows: 1→ 8 with probability 1

⇒ Near-collision attack for 7 roundstime complexity 2112 and 264 memory



Compression Function Attacks

Hj−1

Hjstate update

SB SC MR AK


∆Mj

We can freely choose the chaining input Hj−1no differences in Hj−1semi-free-start (near-) collisions

Extend previous attacks by 2 roundsusing multiple inbound phases

Outbound phases of attacks stay the same



Inbound Phase

S0 S1 S2 S3 S4 S5

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

1st inbound phase connect 2nd inbound phase

Idea:use two independent inbound phases

connect them using 512-bit freedom of key input(S3 = SMR

2 ⊕ K3)A bit more tricky than that (3 key inputs involved)

connect rows independentlyfind 264 solutions with complexity 2128

⇒ Collision on 7 and near-collision on 9 rounds



Inbound Phase

S0 S1 S2 S3 S4 S5

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

1st inbound phase

connect 2nd inbound phase








Inbound Phase

S0 S1 S2 S3 S4 S5

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

1st inbound phase

connect

2nd inbound phase








Inbound Phase

S0 S1 S2 S3 S4 S5

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK


Idea:use two independent inbound phasesconnect them using 512-bit freedom of key input(S3 = SMR

2 ⊕ K3)

A bit more tricky than that (3 key inputs involved)connect rows independentlyfind 264 solutions with complexity 2128




Inbound Phase

S0 S1 S2 S3 S4 S5

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK








Inbound Phase

S0 S1 S2 S3 S4 S5

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK








Summary of Results on Whirlpool

target roundscomputational memory

typecomplexity requirements

hash 5

.5

2184−s 2s collisionfunction 7

.5

2176−s 2s near-collision

compression7

.5

2184 264 collision

function9

.5

2176 264 near-collision

10 2188 264 distinguisher






hash 5.5 2184−s 2s collisionfunction 7.5 2176−s 2s near-collision

compression7.5 2184 264 collision

function9.5 2176 264 near-collision

10 2188 264 distinguisher






hash 5.5 2184−s 2s collisionfunction 7.5 2176−s 2s near-collision

compression7.5 2184 264 collision

function9.5 2176 264 near-collision10 2188 264 distinguisher



Open Problems

∆Hj−1

Hjstate update

SB SC MR AK


∆Mj

Using differences also in the chaining inputCombination of:

related-key attacks on block cipherslocal collisionsrebound attack



The SHA-3 Candidate Grøstl [GKM+11]

Hi−1 HiP

QMi

SHA-3 finalistAES-based hash functionPermutation based designDesigned by DTU (Denmark) and TU Graz (Austria)Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz,Florian Mendel, Christian Rechberger, Martin Schlaffer, SørenS. Thomsen



Permutations P and Q of Grøstl

Q:

P:

0i1i2i3i4i5i6i7i

AddRoundConstant

fieidicibiai9i8iffffffffffffff

ffffffffffffff

ffffffffffffff

ffffffffffffff

ffffffffffffff

ffffffffffffff

ffffffffffffff

ffffffffffffff

S

SubBytes

S

ShiftRows MixColumns

AES like round transformations8× 8 state and 10 rounds for Grøstl-2568× 16 state and 14 rounds for Grøstl-512

Based on design principles of AESnot using AES as a direct building blockbetter diffusion, wider trails



The Rebound Attack on Grøstl

P0 P1 P2 P3 P4 P5 P6 P7 P8

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

1 2−56 average 1 2−56 1 1

1) Construct optimal truncated differential pathby hand, well-knownhow to find right pairs?

2) Inbound phasethree rounds with average complexity 1using SuperBox time-memory trade-offs

3) Outbound phasehigh probability for sparse paths

⇒ find solutions with complexity 2112 and 264 memory




P0 P1 P2 P3 P4 P5 P6 P7 P8

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

1 2−56 average 1 2−56 1 1








P0 P1 P2 P3 P4 P5 P6 P7 P8

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

1 2−56 average 1 2−56 1 1








P0 P1 P2 P3 P4 P5 P6 P7 P8

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

1 2−56 average 1 2−56 1 1







Relatively Simple Analysis of Grøstl

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

ACSBSHMB

Q0

P0

Q1

P1

Q2

P2

Q3

P3IV

M1

H1

256average 1 28

Easy to construct truncated differential pathsoptimal use of available freedom (message)

Results for Grøstl-256, Grøstl-512hash function collisions for 3 rounds (of 10,14)compression function collisions for 6 rounds (of 10,14)



Summary for Rebound Attack on Grøstl

Lots of cryptanalysis (mostly on Grøstl-0)[MPRS09, Pey10, SLW+10, MRST09, MRST10, ITP10]

No multiple inbound phases possible

No key-schedule input (no related-key attacks)

Provable resistance against standard differential attacks

Using (powerful) truncated differentialsstill only 3 out of 10 rounds can be attacked



Summary of Rebound Attacks

Basic principle not that difficultefficient inbound phaseprobabilistic outbound phase

Difficulty in constructing and merging inbound phasesfinding good and sparse truncated differential pathsefficient way to use available freedom for merge



Other Rebound Attacks

ECHO:big state but rather sparse truncated differential paths

JH:4-bit S-boxes, multiple inbound phases

Lane:2x inbound for Lane-256, 3x inbound for LANE-512

Luffa:4-bit S-boxes, find differential path first, then values

Skein:rotational rebound attack

http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo


http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo


Outline

1 Motivation

2 Collision Attacks



5 Conclusion



More Freedom in Attacking Hash Functions

... than in attacks on block ciphers

AES-based designs (Whirlpool Grøstl):3 rounds in the middle with (average) complexity 11.5 rounds at the beginning

ARX-based designs (SHA-1):up to 25 steps at the beginning with message modification



Conclusion

Differential cryptanalysispowerful tool in analyzing hash functionsmany hash functions broken using DCsparse (truncated) differential characteristics needed

AES based designs:best truncated differential path can be used(with small modifications)rebound attack to find differences and valuessimultaneously

ARX based designs:unknown if good characteristics exist(semi-)automatic tools needed (linear,nonlinear)still some work to do for ARX based SHA-3 finalists



Thank you for your Attention!

Questions?



References I

[BC04] Eli Biham and Rafi Chen.Near-Collisions of SHA-0.In Matthew K. Franklin, editor, CRYPTO, volume 3152 of LNCS, pages290–305. Springer, 2004.

[BR00] Paulo S. L. M. Barreto and Vincent Rijmen.The WHIRLPOOL Hashing Function.Submitted to NESSIE, September 2000, revised May 2003, 2000.Available online:http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html.

[DMR07] Christophe De Canniere, Florian Mendel, and Christian Rechberger.Collisions for 70-Step SHA-1: On the Full Cost of Collision Search.In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, SelectedAreas in Cryptography, volume 4876 of LNCS, pages 56–73. Springer,2007.


http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html


References II

[DR06] Christophe De Canniere and Christian Rechberger.Finding SHA-1 Characteristics: General Results and Applications.In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 ofLNCS, pages 1–20. Springer, 2006.

[GKM+11] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, FlorianMendel, Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen.Grøstl – a SHA-3 candidate.Submission to NIST (Round 3), January 2011.Available online: http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/submissions_rnd3.html.

[ITP10] Kota Ideguchi, Elmar Tischhauser, and Bart Preneel.Improved Collision Attacks on the Reduced-Round Grøstl Hash Function.In Mike Burmester, Gene Tsudik, Spyros S. Magliveras, and Ivana Ilic,editors, ISC, volume 6531 of LNCS, pages 1–16. Springer, 2010.


http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/submissions_rnd3.html

http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/submissions_rnd3.html


References III

[JF11] Jeremy Jean and Pierre-Alain Fouque.Practical Near-Collisions and Collisions on Round-Reduced ECHO-256Compression Function.In Fast Software Encryption, 2011.To appear.

[JP07] Antoine Joux and Thomas Peyrin.Hash Functions and the (Amplified) Boomerang Attack.In Alfred Menezes, editor, CRYPTO, volume 4622 of LNCS, pages244–263. Springer, 2007.

[Kli06] Vlastimil Klima.Tunnels in Hash Functions: MD5 Collisions Within a Minute.Cryptology ePrint Archive, Report 2006/105, 2006.http://eprint.iacr.org/.


http://eprint.iacr.org/


References IV

[KNPRS10] Dmitry Khovratovich, Marıa Naya-Plasencia, Andrea Rock, and MartinSchlaffer.Cryptanalysis of Luffa v2 Components.In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, SelectedAreas in Cryptography, volume 6544 of LNCS, pages 388–409. Springer,2010.

[LMR+09] Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen,and Martin Schlaffer.Rebound Distinguishers: Results on the Full Whirlpool CompressionFunction.In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages126–143. Springer, 2009.

[MNPN+09] Krystian Matusiewicz, Marıa Naya-Plasencia, Ivica Nikolic, Yu Sasaki,and Martin Schlaffer.Rebound Attack on the Full Lane Compression Function.In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages106–125. Springer, 2009.



References V

[MPRS09] Florian Mendel, Thomas Peyrin, Christian Rechberger, and MartinSchlaffer.Improved Cryptanalysis of the Reduced Grøstl Compression Function,ECHO Permutation and AES Block Cipher.In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini,editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages16–35. Springer, 2009.

[MRS09] Florian Mendel, Christian Rechberger, and Martin Schlaffer.Cryptanalysis of Twister.In Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and DamienVergnaud, editors, ACNS, volume 5536 of LNCS, pages 342–353, 2009.

[MRST09] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S.Thomsen.The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl.In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages 260–276.Springer, 2009.



References VI

[MRST10] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S.Thomsen.Rebound Attacks on the Reduced Grøstl Hash Function.In Josef Pieprzyk, editor, CT-RSA, volume 5985 of LNCS, pages350–365. Springer, 2010.

[Pey10] Thomas Peyrin.Improved Differential Attacks for ECHO and Grøstl.In Tal Rabin, editor, CRYPTO, volume 6223 of LNCS, pages 370–392.Springer, 2010.

[RO05] Vincent Rijmen and Elisabeth Oswald.Update on SHA-1.In Alfred Menezes, editor, CT-RSA, volume 3376 of LNCS, pages 58–71.Springer, 2005.



References VII

[Sch10] Martin Schlaffer.Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function.In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, SelectedAreas in Cryptography, volume 6544 of LNCS, pages 369–387. Springer,2010.

[SKPI07] Makoto Sugita, Mitsuru Kawazoe, Ludovic Perret, and Hideki Imai.Algebraic Cryptanalysis of 58-Round SHA-1.In Alex Biryukov, editor, FSE, volume 4593 of LNCS, pages 349–365.Springer, 2007.

[SLW+10] Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, and Kazuo Ohta.Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl.In Masayuki Abe, editor, ASIACRYPT, volume 6477 of LNCS, pages38–55. Springer, 2010.



References VIII

[WFW09] Shuang Wu, Dengguo Feng, and Wenling Wu.Cryptanalysis of the LANE Hash Function.In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini,editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages126–140. Springer, 2009.

[WYY05] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu.Finding Collisions in the Full SHA-1.In Victor Shoup, editor, CRYPTO, volume 3621 of LNCS, pages 17–36.Springer, 2005.


Documents

Differential Cryptanalysis of Hash Functions: How to find ... · Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers)Attacks on MD-family