the rebound attack: cryptanalysis of reduced whirlpool and
TRANSCRIPT
Technical University of Denmark - Graz University of Technology
The Rebound Attack:Cryptanalysis of Reduced Whirlpool
and Grøstl
Florian Mendel1, Christian Rechberger1, Martin Schlaffer1,Søren S. Thomsen2
1Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria
2Department of Mathematics, Technical University of DenmarkMatematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark
FSE 2009 1
Technical University of Denmark - Graz University of Technology
Overview
1 Motivation
2 The Rebound Attack
3 The Whirlpool Hash Function
4 Rebound Attack on Whirlpool
5 Rebound Attack on Grøstl
6 Results and Conclusions
FSE 2009 2
Technical University of Denmark - Graz University of Technology
Overview
1 Motivation
2 The Rebound Attack
3 The Whirlpool Hash Function
4 Rebound Attack on Whirlpool
5 Rebound Attack on Grøstl
6 Results and Conclusions
FSE 2009 3
Technical University of Denmark - Graz University of Technology
Motivation
NIST SHA-3 Competitiondiversity of designsdiversity of cryptanalytic tools needed
Many AES based designshow to analyze them?we contribute with new attack to this toolbox
Applications?idea of attack is widely applicableWhirlpool, Grøstl
FSE 2009 4
Technical University of Denmark - Graz University of Technology
Overview
1 Motivation
2 The Rebound Attack
3 The Whirlpool Hash Function
4 Rebound Attack on Whirlpool
5 Rebound Attack on Grøstl
6 Results and Conclusions
FSE 2009 5
Technical University of Denmark - Graz University of Technology
Collision Attacks on Hash Functions
iterated hash function h(M, IV )
compression function f : Ht = f (Mt , Ht−1), H0 = IVdifferent types of collision attacks:(1) collision:
fixed IVf (Mt , IV ) = f (M ′t , IV ), Mt 6= M ′t
(2) semi-free-start collision:random chaining inputf (Mt , Ht−1) = f (M ′t , Ht−1), Mt 6= M ′t
(3) free-start collision:random differences and values of chaining inputf (Mt , Ht−1) = f (M ′t , H ′t−1), Mt 6= M ′t , Ht−1 6= H ′t−1
⇒ increasing degrees of freedom
FSE 2009 6
Technical University of Denmark - Graz University of Technology
The Rebound Attack
Ein
Efw
Ebw
inboundoutbound outbound
Applies to block-cipher and permutation based designs:
E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw
Inbound phase:efficient meet-in-the-middle phase in Einaided by available degrees of freedomcalled match-in-the-middle
Outbound phase:probabilistic part in Ebw and Efwrepeat inbound phase if needed
FSE 2009 7
Technical University of Denmark - Graz University of Technology
Comparison with other Strategies
inside-out approach:
meet-in-the-middle attack:
rebound attack:
Mt ,H
t-1H
t
Mt ,H
t-1H
t
Mt ,H
t-1H
t
inboundoutbound outbound
FSE 2009 8
Technical University of Denmark - Graz University of Technology
Overview
1 Motivation
2 The Rebound Attack
3 The Whirlpool Hash Function
4 Rebound Attack on Whirlpool
5 Rebound Attack on Grøstl
6 Results and Conclusions
FSE 2009 9
Technical University of Denmark - Graz University of Technology
The Whirlpool Hash Function
+
Blo
ck c
iphe
r W
Mt
Ht-1
HtState
Update SB SC MR AK
KeySchedule SB SC MR AC
Designed by Barretto and Rijmensubmitted to NESSIE in 2000standardized by ISO/IEC 10118-3:2003
512-bit hash value and using 512-bit message blocksBlock-cipher based (AES)
Miyaguchi-Preneel mode with conservative key-schedule
No attacks in 8 years of existence
FSE 2009 10
Technical University of Denmark - Graz University of Technology
The Whirlpool Round Transformations
SubBytes ShiftColumns MixRows AddRoundKeyKi
S(x)
+
10 roundsAES like round transformations on two 8× 8 states
ki = AC ◦MR ◦ SC ◦ SB ri = AK ◦MR ◦ SC ◦ SB
K0
K1
K2
K3
K4
K5
K6
K7
K8
K9
K10
Ht-1
S0
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
Mt
Ht
r1
r2
r3
r4
r5
r6
r7
r8
r9
r10
SBSCMRAK
SBSCMRAC
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
SBSCMRAC
SBSCMRAK
SBSCMRAC
SBSCMRAK
SBSCMRAC
SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
SBSCMRAK
SBSCMRAC
+SBSCMRAK
SBSCMRAC
FSE 2009 11
Technical University of Denmark - Graz University of Technology
Wide-Trails in Whirlpool
K0
K1
K2
K3
K4
K5
K6
K7
K8
K9
K10
Ht-1
S0
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
Mt
Ht
r1
r2
r3
r4
r5
r6
r7
r8
r9
r10
SBSCMRAK
SBSCMRAC
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
SBSCMRAC
SBSCMRAK
SBSCMRAC
SBSCMRAK
SBSCMRAC
SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
SBSCMRAK
SBSCMRAC
+SBSCMRAK
SBSCMRAC
Minimum number of active S-boxes81 for any 4-round trail: (8− 64− 8− 1)maximum differential probability: (2−5)
81= 2−405
Collision attack on Whirlpool: < 2256
use “message modification” techniques (first rounds)a full active state remains: probability (2−5)
64= 2−320
FSE 2009 12
Technical University of Denmark - Graz University of Technology
Overview
1 Motivation
2 The Rebound Attack
3 The Whirlpool Hash Function
4 Rebound Attack on Whirlpool
5 Rebound Attack on Grøstl
6 Results and Conclusions
FSE 2009 13
Technical University of Denmark - Graz University of Technology
The Rebound Attack on Whirlpool
K0
K1
K2
K3
K4
Ht-1
S0
S1
S2
S3
S4
Mt
Ht
r1
r2
r3
r4
SBSCMRAK
SBSCMRAC
SBSCMRAK
+SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
inboundoutbound outbound
SBSCMRAC
Inbound phase:(1) start with differences in round r2 and r3(2) match-in-the-middle at S-box using values of the state
Outbound phase:(3) probabilistic propagation in MixRows of r1 and r4(4) match one-byte difference of feed-forward
FSE 2009 14
Technical University of Denmark - Graz University of Technology
Inbound Phase
K2
S2SC S
2S3SB S
3MR
r2
r3
r3
Step 1 Step 2 Step 1
MRAK SB SC
MR
(1) Start with differences in state SSC2 and SMR
3linear propagation to full active state of S2 and SSB
3deterministic due to MDS property of MixRows
(2) Match-in-the-middle at S-box of round r3differential match for single S-box: probability ∼ 2−1
for each match we get 2-8 possible values for the S-box⇒ with a complexity of 264, we get 264 matches
FSE 2009 15
Technical University of Denmark - Graz University of Technology
Outbound Phase
K1
K2
K3
K4
S0
S1
S2
S3
S4
Mt
Ht
r1
r2
r3
r4
Step 4 Step 3 Step 3 Step 4
SBSCMRAK
SBSCMRAK
+SBSCMRAK
SBSCMRAK
(3) Propagate through MixRows of r1 and r4using truncated differences (active bytes: 8→ 1)probability: 2−56 in each direction
(4) Match difference in one active byte of feed-forward
⇒ complexity for 4 round collision of Whirlpool: 2120
FSE 2009 16
Technical University of Denmark - Graz University of Technology
Extension to more RoundsK2
K3
S2SB S
2MR S
2S3SB S
3S4SB S
4MR
r2
r2
r3
r3
r4
r4
Step 1 Step 1 Step 2b Step 2a Step 2a Step 1
SCMR
AK SBSCMR
SCMRAK
SB SCMR
Semi-free-start collision on 5 roundsextend inbound phase using degrees of freedom in keysame complexity (2120) as in 4 round attack
K1
K2
K3
K4
K5
K6
K7
S0
S1
S2
S3
S4
S5
S6
S7
S7.5
HtM
t
r1
r2
r3
r4
r5
r6
r7
r7.5
Step 4 Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 3 Step 4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
+SBSC +
SBSCMRAK
Semi-free-start near-collision on 7.5 roundsextend outbound phase with probability one (MixRows)near-collision on 52 of 64 bytes (2128)
FSE 2009 17
Technical University of Denmark - Graz University of Technology
Overview
1 Motivation
2 The Rebound Attack
3 The Whirlpool Hash Function
4 Rebound Attack on Whirlpool
5 Rebound Attack on Grøstl
6 Results and Conclusions
FSE 2009 18
Technical University of Denmark - Graz University of Technology
SHA-3 Candidate Grøstl
P512
AC SB ShB MB
Q512
AC SB ShB MB
+
Mt
Ht-1 H
t
+
Compression function of Grøstlpermutation based, no key-schedule inputsAES based round transformations (AC, SB, ShB, MB)
Grøstl-256: 8× 8 state for P512 and Q5128× 8 state for P512 and Q51210 rounds each
FSE 2009 19
Technical University of Denmark - Graz University of Technology
Rebound Attack on Grøstl-256
Q0
Q1
Q2
Q3
Q4
Q5
Q6
Mt
Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3Step 4 Step 4
P0
P1
P2
P3
P4
P5
P6
Ht-1
Ht
r1
r2
r3
r4
r5
r6
+ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
ACSBShBMB
+
ACSBShBMB
Semi-free-start collision on 6 rounds of Grøstl-256less degrees of freedom (no key schedule input)maximize using differential trails in both permutationsbirthday match on input and output differences
Complexity of attack: ∼ 2120
FSE 2009 20
Technical University of Denmark - Graz University of Technology
Overview
1 Motivation
2 The Rebound Attack
3 The Whirlpool Hash Function
4 Rebound Attack on Whirlpool
5 Rebound Attack on Grøstl
6 Results and Conclusions
FSE 2009 21
Technical University of Denmark - Graz University of Technology
Results
Summary of attacks:
hashrounds
computational memorytype
function complexity requirements
Whirlpool4.5/10 2120 216 collision5.5/10 2120 216 semi-free-start collision7.5/10 2128 216 semi-free-start near-collision
Grøstl-256 6/10 2120 270 semi-free-start collision
Improvements?still degrees of freedom in key schedule left (Whirlpool)8.5/10 rounds attack on Maelstrom1 (1024 bit key)8.5/12 rounds of SHA-3 candidate Cheetah-512
1Gazzoni Filho, Barreto, Rijmen (SBSeg 2006)FSE 2009 22
Technical University of Denmark - Graz University of Technology
Conclusions
The Rebound Attackinbound phase for expensive partsoutbound phase for “cheaper” parts
Contribute to hash function cryptanalysis toolboximproved analysis of AES based designsbetter attacks for more degrees of freedomsimple designs allow simple analysis
Future workapply to other design strategiesanalyze SHA-3 candidatesgive bounds for simple AES based designs
FSE 2009 23