Improved Differential Attacks for ECHO and Grøstl (extended version available on eprint)
Thomas Peyrin
CRYPTO 2010 Santa Barbara - November 19, 2010
Results
Introduction
ECHO
Grøstl
Outline
Introduction
ECHO (Benadjila et al.)
Grøstl (Gauravaram et al.)
Results and future works
Results
Introduction
ECHO
Grøstl
Outline
Introduction
ECHO (Benadjila et al.)
Grøstl (Gauravaram et al.)
Results and future works
Results
Introduction
ECHO
Grøstl
SHA-3 competition The SHA-3 hash function competition: • started in October 2008, 64 submissions • 51 candidates accepted for the first round • 14 semi-finalists selected in 2009 • finalists to be selected end 2010 • winner to be announced in 2012
Among the 14 semi-finalists, one can identify 4 AES-based candidates. For example ECHO and Grøstl.
• AddConstant: in known-key model, just add a round-dependent constant (breaks natural symmetry of the three other functions)
• SubBytes: application of a c-bit Sbox (only non-linear part) • ShiftRows: rotate column position of all cells in a row, according to its row position • MixColumns: linear diffusion layer.
Introduction
ECHO
Grøstl
Results
Hash function collision attacks In general, there are two basic tools in order to find a collision: the differential path building technique and the freedom degree utilization method. The differential path building techniques (for SHA-1): • local collisions • linear perturbation mask • non-linear parts
Hash function collision attacks In general, there are two basic tools in order to find a collision: the differential path building technique and the freedom degree utilization method. The differential path building techniques (for AES-based): • truncated differential paths
In this talk, we will mostly focus on how to find good differential paths for ECHO and Grøstl
Introduction
ECHO
Results
Grøstl
The Super-Sbox method In general, the Super-Sbox method seem to be more powerful than classical rebound or start-from-the-middle attacks. It allows to control 3 rounds in the middle (controlled rounds): a valid pair can be found with one operation on average and a minimal cost of 2r·c . round 0 AC SB
round 1 AC SB
round 2 AC SB
round 3 AC SB
round 4 AC SB
round 5 AC SB
round 6 AC SB
ShR MC
ShR MC
ShR MC
ShR MC
ShR MC
ShR MC
ShR
The rest is fulfilled probabilistically (uncontrolled rounds). In our example, we have twice a probability 2−8×3 = 2−24 to pay.
Introduction
ECHO
Grøstl
Outline
Introduction
ECHO (Benadjila et al.)
Grøstl (Gauravaram et al.)
Results and future works
Results
Introduction
ECHO
Results
Grøstl
ECHO compression function CV M
CV’
P 128-bit cell
One round of the internal permutation P
Introduction
ECHO
Results
Grøstl
ECHO compression function CV M
CV’
P 128-bit cell
One round of the internal permutation P
Introduction
ECHO
Results
Grøstl
ECHO compression function CV M
CV’
P 128-bit cell
One round of the internal permutation P
Introduction
ECHO
Results
Grøstl
Previous attacks Previous attacks focused on the internal permutation only, because the complexities were already very high. B.SB0
B.MC0
B.ShR0 B.SB4 B.ShR4
B.SB1
B.MC1
B.ShR1 B.MC4
B.SB5 B.ShR5
B.SB2
B.MC2
B.ShR2 B.MC5
B.SB6
B.SB3
B.MC3
B.ShR3 B.MC6
B.ShR6
For this 7-round trail, one can find a valid pair with 2128×3 = 2384 computations on average ... but with a minimal cost of 2512 because of the super-Sbox method.
Introduction
ECHO
Results
Grøstl
Improved differential paths for ECHO C
F
Increase the granularity of the path:
1
D
Force all intra-word differences to be of the same type B.SB0
F F F F
B.ShR0
D
B.ShR4
B.SB4
D D D
F F F F
B.MC0
F F F F
B.MC4
F
B.SB1
D
B.MC1
B.ShR1
F
B.SB5 B.ShR5
F
B.MC5
B.SB2
D D D D
B.ShR2
F F F F
B.ShR6
B.SB6
C C
B.MC2
C C
F F F F
B.MC6
C C C C
C C C C
C C C C
C C C C
F F F F
F F F F
F F F F
F F F F
B.SB3 B.ShR3
DDDD DDDD DDDD DDDD
B.MC3
Problem: this path has an average complexity of 296 comp. per solution, but we still have to pay the huge 2512 minimal cost of the Super-Sbox method anyway. Idea: improve the Super-Sbox technique for this particular differential path: 232 comp. and memory for one solution in the controlled round.
Introduction
ECHO
Results
Grøstl
Results for ECHO computational
memory
complexity
requirements
3/8
264
232
free-start collision
3/8
296
232
semi-free-start collision*
4.5/8
296
232
distinguisher
ECHO-512
3/10
96
232
(semi)-free-start collision*
comp. function
6.5/10
296
232
distinguisher
3/8
2
64
232
(semi)-free-start collision
target
rounds
ECHO-256 comp. function
ECHO-SP-256 comp. function
3/8
264
232
distinguisher
3/10
264
232
free-start collision
3/10
296
232
semi-free-start collision*
96
232
distinguisher
ECHO-SP-512 comp. function
2
type
4.5/10
2
* because of a lack of freedom degrees, these attacks requires some randomization on the salt. Thus they are applicable in the chosen-salt setting only
The internal differential attack Problem: all previous attacks build classical differential paths for the permutation P and Q (allows to reach 8/10 rounds)
P ∆IN
H
Q
M
∆OUT
Idea: look at the difference between the two parallel branches It works well on Grøstl because P and Q are almost identical (only the constant addition differs)
H’
attacked primitive
Let A and B be s.t. A ⊕ B = ∆IN and Q(A) ⊕ P(B) = ∆OUT We have h(H, M) = ∆IN ⊕ ∆OUT
Results
Introduction
ECHO
Grøstl
Results
What can we do with such a pair A and B ? • Distinguishing attack: • assume ∆IN is maintained in a set of x elements • assume ∆OUT is maintained in a set of y elements • thus h(H, M) is maintained in a set of k = x · y elements • we can distinguish the Grøstl compression function from an ideal one: such pair (H, M) can be generically obtained with 2n /k computations • one can also distinguish the permutations P and Q from ideal permutations (see “limited birthday distinguishers” in [Gilbert Peyrin FSE 2010]) • Collision attack: • because of a lack of freedom degrees, no improvement for the compression function attacks • but we can attack 5/10 rounds of the hash function
Introduction
ECHO
Grøstl
Results
An example with 9 rounds: SB0
ShR0
MC0
AC0 SB1
ShR1
MC1
SB2
ShR2
MC2
SB3
ShR3
MC3
SB4
ShR4
MC4
SB5
ShR5
MC5
SB6
ShR6
MC6
SB7
ShR7
MC7
SB8
ShR8
MC8
AC1
AC2
AC3
AC4
AC5
AC6
AC7
AC8
• we have • x = 256 • y = 2128 • k = 2184
• thus the generic complexity is 2512−184 = 2328 operations • we can find a valid candidate with only 280 computations and 264 memory • the amount of freedom degrees only allows us to compute one such candidate, but generalization of the internal differential attack gives additional freedom degrees
Introduction
ECHO
Results
Grøstl
Results for Grøstl target
rounds
computational
memory
complexity
requirements
type
section
Grøstl-256
9/10
280
264
distinguisher
new
internal perm.
10/10
2192
264
distinguisher
new
11/14
2640
264
distinguisher
new
8/10
2112
264
distinguisher
[Gilbert Peyrin 2009]
9/10
280
264
distinguisher*
new
10/10
2192
264
distinguisher*
new
11/14
2640
264
distinguisher*
new [Mendel et al. 2010]
Grøstl-512 internal perm. Grøstl-256 comp. function Grøstl-512 comp. function Grøstl-256
4/10
264
264
collision
hash function
5/10
279
264
collision
new
Grøstl-512
5/14
2176
264
collision
[Mendel et al. 2010]
hash function
6/14
2177
264
collision
new
* for these distinguishers, the amount of available freedom degrees allows us to generate only one valid candidate with good probability
Introduction
ECHO
Grøstl
Outline
Introduction
ECHO (Benadjila et al.)
Grøstl (Gauravaram et al.)
Results and future works
Results
Introduction
ECHO
Grøstl
Results
Results and future works Our results: • first attacks on reduced versions of the ECHO compression
function • distinguishing attack against full Grøstl-256 compression
function or internal permutations Future works: • find better differential paths for ECHO ([Schl¨affer - SAC 2010]) • derive collision attacks for the Grøstl hash function with
internal differential paths ([Ideguchi et al. - eprint 2010]) • try to apply internal differential attack to other schemes
Be careful when designing a scheme: also check the differential paths between the internal branches
Improved Differential Attacks for ECHO and Grøstl
Problem: this path has an average complexity of 296 comp. per solution, but we still have to pay ... one can also distinguish the permutations P and Q from ideal.
1 Information Security Group, Royal Holloway, University of London. Egham, Surrey ..... A generic key recovery algorithm based on a rectangle distinguisher was first presented by ... Anyway, as the data requirement of the attack is the entire.
Department of Mathematics and Computer Science,. Eindhoven University ...... In the online stage, for each input pair, the attacker computes the XOR difference ... The algorithm of the BA attack, as described in [1], has the total time complexity.
Abstract. In this paper we consider the orienteering problem in undirected and directed graphs and obtain improved approximation algorithms. The point to ...
Mar 2, 2009 - 4Department of Mathematics, University of Delhi, Delhi 110 007, India ..... [13] M. S. Kasi and V. Ravichandran, On starlike functions with ...
ABSTRACT. We describe a new attack against web authentication, which we call .... hosting the object with the object. Our first .... warnings and just click âOKâ [5, 10, 77]. In fact ..... the following top-level domains: com, org, net, gov, edu,
We consider three broad classes of adversaries, classified accord- ...... and Adobe Reader. ..... secure technologies succeed in legacy markets: Lessons from.
ing attacks against a domain name registry. We assume the server under the pharmer's control does not have the same IP address as the victim and cannot ...
Zhao et al. [24] proved that the approximation ratio is. 2 â 3/k for an odd k and 2 â (3k â 4)/(k2 â k) for an even k, if we compute a k-way cut of the graph by iteratively finding and deleting minimum 3-way cuts in the graph. Xiao et al. [23
to the application layer. Analytic modeling and simulation are amongst the most used methods for evaluating MANET protocols. The former has limitations due to ...
arise in transportation, distribution of goods, scheduling of work, etc. ..... 2When we use the k-stroll algorithm as a subroutine, we call it with .... The center.
speed in designing the encoder. The encoder developed by the Joint ..... [3] âx264,â http://developers.videolan.org/x264.html. [4] âMPEG-4 AVC/H.264 video ...
May 8, 2009 - School of Computer Science and Engineering, University of Electronic ... Multiterminal Cut, and the current best approximation algorithm is the ...
Remote Sensing and Control (TRSC) over wireless networks. Multiple disjoint paths .... Some research also deals with using multiple paths for ..... âSupermedia in internet-based telerobotic operations,â in MMNS 2001,. 2001. [2] M. Handley, S.
In concurrent and independent work, Nagarajan and. Ravi [26] obtained an ..... dynamic programming, and we use our new algorithms in the large-excess ...
Optimising the MPE criterion: Extended Baum-Welch. ⢠I-smoothing for ... where λ are the HMM parameters, Or the speech data for file r, κ a probability scale and P(s) the .... Smoothed approximation to phone error in word recognition system.
To support the growth and development of mobile ad hoc networks .... where PC(i, j, t) is the pause correlation between nodes ..... 365â389, April 2009. 195.
Local government, NGOs, the private sector, schools and households are the ... Gulu, Laker Florence, expressed support for the use of a common database on.
