Analysis of some SHA-3 candidates - Inria · 2020. 12. 13. · Introduction Attacks on Generalized...
Transcript of Analysis of some SHA-3 candidates - Inria · 2020. 12. 13. · Introduction Attacks on Generalized...
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Analysis of some SHA-3 candidates
Gaëtan Leurent
University of Luxembourg
May 4, 2011
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 1 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
An Ideal Hash Function: the Random Oracle
I Public Random OracleI The output can be used as a fingerprint of the document
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 2 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
An Ideal Hash Function: the Random Oracle
0x1d66ca77ab361c6f
I Public Random OracleI The output can be used as a fingerprint of the document
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 2 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
A Concrete Hash Function
I A public function with no structural property.I Cryptographic strength without any key!
I F : {0, 1}∗ → {0, 1}n
0x1d66ca77ab361c6fF
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 3 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
A Concrete Hash Function
I A public function with no structural property.I Cryptographic strength without any key!
I F : {0, 1}∗ → {0, 1}n
0x1d66ca77ab361c6fF
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 3 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Security goals
Preimage attack
? 0xb58bff99F
Given F and H, find M s.t. F(M) = H.Ideal security: 2n.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 4 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Security goalsSecond-preimage attack
? F
F
0xf46cc4146=
Given F and M1, find M2 6= M1 s.t. F(M1) = F(M2).Ideal security: 2n.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 4 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Security goalsCollision attack
? F
? F?6=
Given F, find M1 6= M2 s.t. F(M1) = F(M2).Ideal security: 2n/2.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 4 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Hash function design
I Build a small compression function, and iterate.
I Cut the message in chunks M0, ...MkI Hi = f(Mi,H−1)I F(M) = Hk
f
M0
H0
f
M1
H1
f
M2
H2
f
M3
H3IV
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 5 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Compression Function Attacks
Fist results usually target the compression function
I Because it’s easier: more degrees of freedomI Because good compression function imply good hash function
MD5 cryptanalysis
I 1993: Free-start collisions [den Boer and Bosselaers]I 1996: Semi-free-start collisions [Dobbertin]I 2005: Collisions [Wang et. al]I 2009: Rogue certificate [Stevens et. al]
Wang’s and Stevens’s attacks are based on the dBB path
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 6 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Compression Function Attacks
Fist results usually target the compression function
I Because it’s easier: more degrees of freedomI Because good compression function imply good hash function
MD5 cryptanalysis
I 1993: Free-start collisions [den Boer and Bosselaers]I 1996: Semi-free-start collisions [Dobbertin]I 2005: Collisions [Wang et. al]I 2009: Rogue certificate [Stevens et. al]
Wang’s and Stevens’s attacks are based on the dBB path
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 6 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Operations used
Two main categories of designs:
ARX designs
I Additions, Rotations, XorsI Inspired by MD/SHAI Lots of light roundsI Bit-level attackI Known attacks techniques,
but finding paths is hard
SBox designs
I SBoxes and Linear LayersI Inspired by the AESI Few heavy roundsI SBox-level attacksI New attacks techniques,e.g. rebound attack
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 7 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Outline
IntroductionHash Functions
Attacks on Generalized Feistel schemesThe cancellation propertyApplication to SHAvite-3512Extension to 14 rounds with weak saltsOther results
Analysis of BMWSolving AX systemsApplication to BMWSummary
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 8 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Outline
IntroductionHash Functions
Attacks on Generalized Feistel schemesThe cancellation propertyApplication to SHAvite-3512Extension to 14 rounds with weak saltsOther results
Analysis of BMWSolving AX systemsApplication to BMWSummary
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 9 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Generalized Feistel schemes
I Build a 4n-bit function out of an n-bit function:
S T U V
S T U VKi
F
Lesamnta structure(CAST-like)
VUTS
VUTSK′iKi
F F
SHAvite-3512 structure(RC6-like)
I Ideal: each Fi is an independent ideal function/permutationI In practice: Fi(x) = F(ki ⊕ x) with a fixed F
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 10 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Generalized Feistel schemes
I Build a 4n-bit function out of an n-bit function:
S T U V
S T U VKi
F
Lesamnta structure(CAST-like)
VUTS
VUTSK′iKi
F F
SHAvite-3512 structure(RC6-like)
I Ideal: each Fi is an independent ideal function/permutationI In practice: Fi(x) = F(ki ⊕ x) with a fixed F
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 10 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Cancellation Cryptanalysis
Main idea
Cancel the effect of non-linear componentsby using the same input pairs twice
I If round functions are related: Fi(x) = F(ki ⊕ x)
I Look for terms with Fi(u)⊕ Fj(u⊕ α)I Set α = ki ⊕ kjI Then Fj(u⊕ α) = F(kj ⊕ u⊕ ki ⊕ kj) = Fi(u)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 11 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
The Cancellation Property
F F
I Full diffusion after4 rounds
I If y1 = y2 = y,the differencescancel out
I Use constraintson the state
i Si Ti Ui Vi
0 x - - -1 - x - -2 - y1 x - x→ y13 - z y1 x y1 → z4 x w z y′ x→ y2, z→ w
y′ = y1 ⊕ y2
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 12 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
The Cancellation Property
F F
I Full diffusion after4 rounds
I If y1 = y2 = y,the differencescancel out
I Use constraintson the state
i Si Ti Ui Vi
0 x - - -1 - x - -2 - y1 x - x→ y13 - z y1 x y1 → z4 x w z y′ x→ y2, z→ w
y′ = y1 ⊕ y2
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 12 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
The Cancellation Property
F F
I Full diffusion after4 rounds
I If y1 = y2 = y,the differencescancel out
I Use constraintson the state
i Si Ti Ui Vi
0 x - - -1 - x - -2 - y x - x→ y3 - z y x y→ z4 x w z - x→ y, z→ w
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 12 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
The Cancellation Property
F F
I Full diffusion after4 rounds
I If y1 = y2 = y,the differencescancel out
I Use constraintson the state
i Si Ti Ui Vi
0 x - - -1 - x - -2 - y x - x→ y3 - z y x y→ z4 x w z - x→ y, z→ w
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 12 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
The Cancellation Property: Looking at the Values
We study values, starting at round 4:
i Si Ti Ui Vi
4 a b c d5 d a⊕ F4(b) b c⊕ F′4(d)6 c⊕ F′4(d) d⊕ F5(a⊕ F4(b)) a⊕ F4(b) b⊕ F′5(c⊕ F′4(d))7 c⊕ F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b)))
Round 7: F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b))).They cancel if: F5(a⊕ F4(b)) = k1,4 ⊕ k0,6
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 13 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
9-round Truncated Differential
i Si Ti Ui Vi
0 ? x2 ? x1 x - x2 x12 x1 x - - x1 → x23 - - x - x→ x14 - - - x5 x - - y x→ y6 y x - z y→ z7 z - x w x→ y, z→ w8 w z - ?9 ? - z ? z→ wFF ? x2 ? ?
Properties
I Using conditions on thestate, probability 1.
I The transitions x→ x1and x1 → x2 are known.
I Compute x from x2
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 14 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Valuesi Xi/Yi
X0 b⊕ F3(c)⊕ F′1(c⊕ F2(d⊕ F′3(a)))Y0 d⊕ F′3(a)⊕ F1(a⊕ F′2(b⊕ F3(c)))X1 a⊕ F′2(b⊕ F3(c))Y1 c⊕ F2(d⊕ F′3(a))X2 d⊕ F′3(a)Y2 b⊕ F3(c)X3 cY3 aX4 bY4 dX5 a⊕ F4(b)Y5 c⊕ F′4(d)X6 d⊕ F5(a⊕ F4(b))Y6 b⊕ F′5(c⊕ F′4(d))X7 c⊕ F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b)))Y7 a⊕ F4(b)⊕ F′6(b⊕ F
′5(c⊕ F′4(d)))
X8 b⊕ F′5(c⊕ F′4(d))⊕ F7(c)Y8 d⊕ F5(a⊕ F4(b))⊕ F′7(a⊕ F4(b)⊕ F′6(b⊕ F
′5(c⊕ F′4(d))))
X9 a⊕ F4(b)⊕ F′6(b⊕ F′5(c⊕ F′4(d)))⊕ F8(b⊕ F′5(c⊕ F′4(d))⊕ F7(c))
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 15 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Message Conditions
Round 7 F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b))).They cancel if: F5(a⊕ F4(b)) = k01,4 ⊕ k00,6
Round 9 F′6(b⊕ F′5(c⊕ F′4(d)))⊕ F8(b⊕ F′5(c⊕ F′4(d))⊕ F7(c)).They cancel if: F7(c) = k01,6 ⊕ k
00,8
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 16 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
9-round Attack
I Choose a, b, c, to satisfy the cancellation conditions.I Compute everything as a function of (a, b, c, d) := (S4, T4,U4,V4).
I Express the output as a function of dI T9 = η
I η = a⊕ F4(b)I T0 = F′1(F2(d⊕ α)⊕ β)⊕ γ
I α = F′3(a)I β = cI γ = b⊕ F3(c)
I For a target value H, set d = F−12(F′−11
(H⊕ η ⊕ γ
)⊕ β
)⊕ α
I This gives T0 ⊕ T9 = H: partial preimage
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 17 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
9-round Attack
I Choose a, b, c, to satisfy the cancellation conditions.I Compute everything as a function of (a, b, c, d) := (S4, T4,U4,V4).
I Express the output as a function of dI T9 = η
I η = a⊕ F4(b)I T0 = F′1(F2(d⊕ α)⊕ β)⊕ γ
I α = F′3(a)I β = cI γ = b⊕ F3(c)
I For a target value H, set d = F−12(F′−11
(H⊕ η ⊕ γ
)⊕ β
)⊕ α
I This gives T0 ⊕ T9 = H: partial preimage
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 17 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
9-round Attack
I Choose a, b, c, to satisfy the cancellation conditions.I Compute everything as a function of (a, b, c, d) := (S4, T4,U4,V4).
I Express the output as a function of dI T9 = η
I η = a⊕ F4(b)I T0 = F′1(F2(d⊕ α)⊕ β)⊕ γ
I α = F′3(a)I β = cI γ = b⊕ F3(c)
I For a target value H, set d = F−12(F′−11
(H⊕ η ⊕ γ
)⊕ β
)⊕ α
I This gives T0 ⊕ T9 = H: partial preimage
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 17 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Application to SHAvite-3512
VUTS
VUTSK′iKi
F′ F
I 14 roundsI State is 4× 128 bitsI Davies-Meyer (message is the key)I Fi(x) = F(F(F(F(x⊕ k0i )⊕ k1i )⊕ k2i )⊕ k3i )I F is one AES round.I Key schedule: linear and AES rounds.
Problem
F uses several keys
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 18 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Application to SHAvite-3512
VUTS
VUTSK′iKi
F′ F
I 14 roundsI State is 4× 128 bitsI Davies-Meyer (message is the key)I Fi(x) = F(F(F(F(x⊕ k0i )⊕ k1i )⊕ k2i )⊕ k3i )I F is one AES round.I Key schedule: linear and AES rounds.
Problem
F uses several keys
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 18 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Message Conditions: SHAvite-3512
Round 7 F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b))).They cancel if: F5(a⊕ F4(b)) = k01,4 ⊕ k00,6and (k11,4, k
21,4, k
31,4) = (k
10,6, k
20,6, k
30,6).
Round 9 F′6(b⊕ F′5(c⊕ F′4(d)))⊕ F8(b⊕ F′5(c⊕ F′4(d))⊕ F7(c)).They cancel if: F7(c) = k01,6 ⊕ k
00,8
and (k11,6, k21,6, k
31,6) = (k
10,8, k
20,8, k
30,8).
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 19 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Solving the Conditions
I We can build a chaining value satisfying the 6 conditionswith cost 296. see details
I Each chaining value can be used 2128 timesto fix 128 bits of the output.I Cost of finding a good message is amortized.
I Attacks on 9-round SHAvite-3512:I Free-start preimage with complexity 2384I Second-Preimage with complexity 2448.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 20 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Extension to 10 rounds
I We only use two cancellations: two conditions on the stateI We still have two degrees of freedom
I We change the variables:(u, z, v,w) := (T2, T3, T4, T5)
u, v degrees of freedom, z,w fixed by the cancellation conditions
H = z⊕ F2(u)⊕ F′0(u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))))⊕wF1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))) = u⊕ F′−10 (H⊕ z⊕ F2(u)⊕w)
I We have u on one side and v on the other side:we can solve with cost 264 by the birthday paradox (or TMTD)
I Attacks on 10-round SHAvite-3512
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 21 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
10-round Path
i Ti Vi
0 v⊕ F3(z)⊕ F′1(z⊕ F2(u)) u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z)))1 w⊕ F4(v)⊕ F′2(v⊕ F3(z)) z⊕ F2(u)2 u v⊕ F3(z)3 z w⊕ F4(v)4 v u⊕ F′3(V3)5 w z⊕ F′4(V4)6 V4 ⊕ F5(w) v⊕ F′5(V5)7 z⊕ F′4(V4)⊕ F6(V4 ⊕ F5(w)) w⊕ F′6(V6)8 V6 ⊕ F7(z) V4 ⊕ F5(w)⊕ F′7(V7)9 w⊕ F′6(V6)⊕ F8(V6 ⊕ F7(z)) z⊕ F
′8(V8)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 22 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Extension to 10 rounds
I We only use two cancellations: two conditions on the stateI We still have two degrees of freedom
I We change the variables:(u, z, v,w) := (T2, T3, T4, T5)
u, v degrees of freedom, z,w fixed by the cancellation conditions
H = z⊕ F2(u)⊕ F′0(u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))))⊕wF1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))) = u⊕ F′−10 (H⊕ z⊕ F2(u)⊕w)
I We have u on one side and v on the other side:we can solve with cost 264 by the birthday paradox (or TMTD)
I Attacks on 10-round SHAvite-3512
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 23 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Extension to 14 rounds
i Xi Yi
0 v⊕ F3(z)⊕ F′1(z⊕ F2(u)) u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z)))1 w⊕ F4(v)⊕ F′2(v⊕ F3(z)) z⊕ F2(u)2 u v⊕ F3(z)3 z w⊕ F4(v)4 v u⊕ F′3(Y3)5 w z⊕ F′4(Y4)6 Y4 ⊕ F5(w) v⊕ F′5(Y5)7 z⊕ F′4(Y4)⊕ F6(Y4 ⊕ F5(w)) w⊕ F′6(Y6)8 Y6 ⊕ F7(z) Y4 ⊕ F5(w)⊕ F′7(Y7)9 w⊕ F′6(Y6)⊕ F8(Y6 ⊕ F7(z)) z⊕ F
′8(Y8)
10 Y8 ⊕ F9(w) Y6 ⊕ F7(z)⊕ F′9(Y9)11 z⊕ F′8(Y8)⊕ F10(Y8 ⊕ F9(w)) w⊕ F′10(Y10)12 Y10 ⊕ F11(z) Y8 ⊕ F9(w)⊕ F′11(Y11)13 w⊕ F′10(Y10)⊕ F12(Y10 ⊕ F11(z)) z⊕ F′12(Y12)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 24 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
14-round cancellation conditionsRound 7 F′4(Y4)⊕ F6(Y4 ⊕ F5(w)).
They cancel if: F5(w) = k01,4 ⊕ k00,6 and(k11,4, k
21,4, k
31,4) = (k
10,6, k
20,6, k
30,6).
Round 9 F′6(Y6)⊕ F8(Y6 ⊕ F7(z)).They cancel if: F7(z) = k01,6 ⊕ k
00,8 and
(k11,6, k21,6, k
31,6) = (k
10,8, k
20,8, k
30,8).
Round 11 F′8(Y8)⊕ F10(Y8 ⊕ F9(w)).They cancel if: F9(w) = k01,8 ⊕ k00,10 and(k11,8, k
21,8, k
31,8) = (k
10,10, k
20,10, k
30,10).
Since w is fixed: F−15 (k01,4 ⊕ k00,6) = F
−19 (k
01,8 ⊕ k00,10)
Round 13 F′10(Y10)⊕ F12(Y10 ⊕ F11(z)).They cancel if: F11(z) = k01,10 ⊕ k00,12 and(k11,10, k
21,10, k
31,10) = (k
10,12, k
20,12, k
30,12).
Since z is fixed: F−17 (k01,6 ⊕ k
00,8) = F
−111 (k
01,10 ⊕ k00,12)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 25 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
14-round cancellation conditionsI 256-bit condition on the stateI 1792-bit condition on the expanded message
F5(w) = k01,4 ⊕ k00,6F7(z) = k01,6 ⊕ k
00,8
(k11,4, k21,4, k
31,4) = (k
10,6, k
20,6, k
30,6)
(k11,6, k21,6, k
31,6) = (k
10,8, k
20,8, k
30,8)
(k11,8, k21,8, k
31,8) = (k
10,10, k
20,10, k
30,10)
(k11,10, k21,10, k
31,10) = (k
10,12, k
20,12, k
30,12)
F−15 (k01,4 ⊕ k00,6) = F
−19 (k
01,8 ⊕ k00,10)
F−17 (k01,6 ⊕ k
00,8) = F
−111 (k
01,10 ⊕ k00,12)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 26 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Weak salts
I More conditions than inputs to the message expansion
I We can build a salt/cv pair satisfying the 14 conditionswith cost 1 (2288 solutions) see details
I Each chaining value can give 2128 solutionswith 128 bits of the output fixed.I Enough solutions for a full preimage.
I Attacks on 14-round SHAvite-3512 compression function:I Chosen salt free-start preimage with complexity 2384
(with 2128 memory)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 27 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Summary
F F
I Generic 9-round and 10-round attacks
I In SHAvite-3512 each round function use several keysI Use properties of the message expansion
I 14-round attack possible with lots of constraintsI Use weak salts
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 28 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Results: SHAvite-3512
Comp. Fun. Hash Fun.
Attack Rounds Time Mem. Time Mem.
2nd Preimage 9 2384 - 2448 264
2nd Preimage 10 2448 - 2480 232
2nd Preimage 10 2416 264 2464 264
2nd Preimage 10 2384 2128 2448 2128
Collision1 14 2192 2128 N/APreimage1 14 2384 2128 N/APreimage1 14 2448 - N/A
1 Chosen salt attacks
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 29 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Other ResultsI Attacks on reduced Lesamnta
FI 24 rounds out of 32: collision and preimage
I Previous attacks: 16 rounds
I Attacks on block ciphers
FI 20-round distinguisher
I 21-round key-recovery attack
I Previous attacks: 18-round distinguisherI Integral attack
I consider 2n/4 structures of 2n/4 plain-textsI one structure will have the cancellation property
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 30 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Outline
IntroductionHash Functions
Attacks on Generalized Feistel schemesThe cancellation propertyApplication to SHAvite-3512Extension to 14 rounds with weak saltsOther results
Analysis of BMWSolving AX systemsApplication to BMWSummary
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 31 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Blue Midnight Wish
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
I Wide pipe: each line is 16 words (32 or 64 bits)
I Most of the diffusion happens in f1I ARX: Addition, Rotations, Xors see details
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 32 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Solving AX Systems
Important Example
x⊕∆ = x� δ
I On average one solutionI Easy to solve because it’s a T-function.
I Guess LSB, check, and move to next bit
I How easy exactly?I Backtracking is exponential in the worst case:x⊕ 0x80000000 = x
I For random δ, ∆, most of the time the system is inconsistent
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 33 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Solving AX Systems
Important Example
x⊕∆ = x� δ
I On average one solutionI Easy to solve because it’s a T-function.
I Guess LSB, check, and move to next bit
I How easy exactly?I Backtracking is exponential in the worst case:x⊕ 0x80000000 = x
I For random δ, ∆, most of the time the system is inconsistent
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 33 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Solving AX Systems
Important Example
x⊕∆ = x� δ
I On average one solutionI Easy to solve because it’s a T-function.
I Guess LSB, check, and move to next bit
I How easy exactly?I Backtracking is exponential in the worst case:x⊕ 0x80000000 = x
I For random δ, ∆, most of the time the system is inconsistent
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 33 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Solving AX Systems
Important Example
x⊕∆ = x� δ
I On average one solutionI Easy to solve because it’s a T-function.
I Guess LSB, check, and move to next bit
I How easy exactly?I Backtracking is exponential in the worst case:x⊕ 0x80000000 = x
I For random δ, ∆, most of the time the system is inconsistent
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 33 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Transition AutomataWe use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ.
c ∆ δ x c’
0 0 0 0 00 0 0 1 00 0 1 0 -0 0 1 1 -0 1 0 0 -0 1 0 1 -0 1 1 0 00 1 1 1 1
c ∆ δ x c’
1 0 0 0 -1 0 0 1 -1 0 1 0 11 0 1 1 11 1 0 0 01 1 0 1 11 1 1 0 -1 1 1 1 -
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 34 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Transition AutomataWe use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
see example
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 34 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Decision Automata
I Remove x from the transitionsI Convert the non-deterministic automata to deterministic.
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
I Can decide whether a given ∆, δ is compatible.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 35 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Decision Automata
I Remove x from the transitionsI Convert the non-deterministic automata to deterministic.
Decision automaton for x⊕∆ = x� δ. The edges are indexed by ∆, δ
0start 11,1
0,00,01,1
1,0
1,00,10,1
I Can decide whether a given ∆, δ is compatible.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 35 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Decision Automata
I Remove x from the transitionsI Convert the non-deterministic automata to deterministic.
Decision automaton for x⊕∆ = x� δ. The edges are indexed by ∆, δ
{0}start {0, 1} {1}1,1
0,0
0,0
1,01,1
0,1
1,0
0,1
I Can decide whether a given ∆, δ is compatible.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 35 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Solving AX systems
Take an AX system with variables and parameters.e.g. x⊕∆ = x� δ
1 Compute carry transitions2 Build transition automaton3 Remove variables and compute equivalent deterministic automaton
I For each values of the parameters:I Test if system is coherent in linear timeI Count solutions in linear timeI Find a solution in linear time
Can also study properties of the systems.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 36 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Some PropertiesImportant Example
x⊕∆ = x� δ
I For this particular system, we can build very efficient expressions:
I Consistent iff
{∆0 = δ0∀i : ∆ i = 1 or δi ⊕∆ i+1 ⊕ δi+1 = 0
!((D^d)&1) && !(((((D^d)>>1)^d) & (~D)) >1 ^ (r&(~D|0x8000000))
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 37 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Main Idea
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
I If we haveI a (near) collision in QaI a (near) collision in MI a (near) collision in the the first rounds of f1
this can be seen in the output:HH0 = (XH�5 ⊕Q�516 ⊕M0)� (XL⊕Q24 ⊕Q0)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 38 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Inside f0
M
H
P Qax y
I We want no difference in Qa, no difference in M
I Pick a random pair x/x′, compute y/y′ through P
I Solve the AX system:
M⊕H = x M⊕H′ = x′
y�H = Qa y′ �H′ = Qa
where H,H′,M,Qa are unknown, x, x′, y, y′ are given parameters
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 39 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Inside f0
M
H
P Qax y
I We want no difference in Qa, no difference in M
I Pick a random pair x/x′, compute y/y′ through P
I Solve the AX system:
H⊕∆ = H� δ∆ = (x⊕ x′) δ = (y� y′)
where H,H′,M,Qa are unknown, x, x′, y, y′ are given parameters
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 39 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Basic BMW Attack
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
1 Chose a random x, x′ so that x′ ⊕ x has a high weight
2 Compute y, y′
3 Solve H⊕∆ = H� δ.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 40 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Basic BMW Attack
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
I The analysis of the f0 function is the core of the attackI We use degrees of freedom in x, x′ to improve the attack
I First improvement: make some words of H inactiveI f1 is a FSR see detailsI AddElement(16) = (M≪10 �M
≪43 �M
≪1110 � K16)⊕H7
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 40 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Basic BMW Attack
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
I The analysis of the f0 function is the core of the attackI We use degrees of freedom in x, x′ to improve the attack
I First improvement: make some words of H inactiveI f1 is a FSR see detailsI AddElement(16) = (M≪10 �M
≪43 �M
≪1110 � K16)⊕H7
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 40 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Inside f0
M
H
P Qax y
The P permutation
I �-Linear layerI z = M.x
I Word-wise operationsI yi = fi(zi) see details
I Hi is inactive iff xi, yi and zi are inactiveI Linear constraints
I We can have H7, H8, . . .H13 inactiveI This gives Q16, Q17, . . .Q22 inactive
I Reduce the x, x′ space by fixing x′ � xI When x′ � x 6= 0, x, x′ constrained by high Hamming distanceI When x′ � x = 0, x is free, and H is free
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 42 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Using Collisions in AddElement
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
I Second improvement: allow differences in M,cancel M differences and H differences in AddElementI Can use degrees of freedom in the inactive H
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 43 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Collisions in AddElementOur path
I differences in M13, M14, M15;I differences in H1 . . .H6, H10, H11 and H12.
AddElement(16) (M≪10 �M≪43 �M
≪1110 � K16)⊕H7
AddElement(17) (M≪21 �M≪54 �M
≪1211 � K17)⊕H8
AddElement(18) (M≪32 �M≪65 �M
≪1312 � K18)⊕H9
AddElement(19) (M≪43 �M≪76 �M
≪1413 � K19)⊕H10
AddElement(20) (M≪54 �M≪87 �M
≪1514 � K20)⊕H11
. . .
Just another AX systemI Use the degrees of freedom form the inactive xi’s
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 44 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Summary of the attack
1 Select a difference x′ � x such thatselected words of x and y are inactive
2 Select a value for x so that x′ ⊕ x has a high weightI By extending the carriesI Increases the probability that the system is consistent.
3 Solve H⊕∆ = H� δ. If inconsistent, goto 1 .
4 Use degrees of freedom in H to make AddElement (near) collide.If impossible, goto 1 .
5 Randomize with remaining degrees of freedom until XH collides.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 45 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Output function
HH0 = (XH�5 ⊕ Q�516 ⊕ M0) � (XL ⊕ Q24 ⊕ Q0)HH1 = (XH�7 ⊕ Q�817 ⊕ M1) � (XL ⊕ Q25 ⊕ Q1)HH2 = (XH�5 ⊕ Q�518 ⊕ M2) � (XL ⊕ Q26 ⊕ Q2)HH3 = (XH�1 ⊕ Q�519 ⊕ M3) � (XL ⊕ Q27 ⊕ Q3)HH4 = (XH�3 ⊕ Q20 ⊕ M4) � (XL ⊕ Q28 ⊕ Q4)HH5 = (XH�6 ⊕ Q�621 ⊕ M5) � (XL ⊕ Q29 ⊕ Q5)HH6 = (XH�4 ⊕ Q�622 ⊕ M6) � (XL ⊕ Q30 ⊕ Q6)HH7 = (XH�11 ⊕ Q�223 ⊕ M7) � (XL ⊕ Q31 ⊕ Q7)HH8 = HH≪94 � (XH ⊕ Q24 ⊕ M8) � (XL�8 ⊕ Q23 ⊕ Q8)HH9 = HH≪105 � (XH ⊕ Q25 ⊕ M9) � (XL�6 ⊕ Q16 ⊕ Q9)HH10 = HH≪116 � (XH ⊕ Q26 ⊕ M10) � (XL
�6 ⊕ Q17 ⊕ Q10)HH11 = HH≪127 � (XH ⊕ Q27 ⊕ M11) � (XL�4 ⊕ Q18 ⊕ Q11)HH12 = HH≪130 � (XH ⊕ Q28 ⊕ M12) � (XL�3 ⊕ Q19 ⊕ Q12)HH13 = HH≪141 � (XH ⊕ Q29 ⊕ M13) � (XL�4 ⊕ Q20 ⊕ Q13)HH14 = HH≪152 � (XH ⊕ Q30 ⊕ M14) � (XL�7 ⊕ Q21 ⊕ Q14)HH15 = HH≪163 � (XH ⊕ Q31 ⊕ M15) � (XL�2 ⊕ Q22 ⊕ Q15)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 46 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Practical example
Chaining Value59dfd94b 30b036e3 44ad8a65 47461712 59dfd94b 30b036e2 bb52759b b8b9e8ed
6f56e9b4 425e2d65 40000003 94e62f58 90a9164c bda1d29a bffffffc 94e62f58
12c4bf76 17b18302 4f74ffd3 3ec30f93 12c4bf76 17b18302 b08b002c c13cf06c
8b0f9f9b 7071a4a5 28becf17 6954724f 74f06064 7071a4a5 28becf17 6954724f
Messagebd050fb4 c6925351 991aa15f 60327d4b bd050fb4 c6925351 991aa15f 60327d4b
0212e457 9feb065e d6ab8dac 7b52f8ca 0212e457 9feb065e d6ab8dac 7b52f8ca
2f8a9774 1f189302 2043dc85 7b0eac19 2f8a9774 1f189302 2043dc85 7b0eac19
08fe0408 01c2f910 19abe45b 00000000 08fe0408 01c6f910 e6541ba4 ffffffe0
Output70588aa3 62e38880 4b32cd23 7da56fd2 70588aa3 62e38880 4b32cd23 7da56fd1
54827a61 d78e6b5f 17cce172 0ae88e5a 54827a62 d78e6b5e f6942bb0 35a96499
232a8830 7f31780e f0865b01 28cb4150 232a8a30 7f31740e 2ad851f7 362f33fb
39ba3bd2 277e9d52 316a7411 c8dbc618 39ba3bd3 27829d53 d239cc6e 29aa1db7
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 47 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Summary
I Tools to solve AX system
I Path avoiding most of the rotations in BMWI Using degrees of freedomI Making some rotations inactive
Results (BMW-256 compression function)
I Partial-collisionsI 300 chosen bits in 232 (generic: 2150)
I Near-collisions:I 400 bits in 232 (generic: 255)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 48 / 49
-
Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion
Bibliography
Attacks on Hash Functions based on Generalized Feistel -Application to Reduced-Round Lesamnta and SHAvite-3512C. Bouillaguet, O. Dunkelman, P.-A. Fouque, G. Leurent [SAC ’10]
Cryptanalysis of the 10-Round Hash and Full Compression Functionof SHAvite-3512P. Gauravaram, G. Leurent, F. Mendel, M. Naya-Plasencia, T. Peyrin,C. Rechberger, M. Schläffer [Africacrypt ’10]
Practical Near-Collisions on the Compression Function of BMWG. Leurent, S. Thomsen [FSE ’11]
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 49 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Appendix
Conditions on the message expansion of SHAvite-3512
Weak salts for SHAvite-3512
Description of BMW
Automaton Example
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 50 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Appendix
Conditions on the message expansion of SHAvite-3512
Weak salts for SHAvite-3512
Description of BMW
Automaton Example
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 51 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Message Expansion
rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[224 ...227,228 ...231,232 ...235,236 ...239,240 ...243,244 ...247,248 ...251,252 ...255]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
AES AES AES AES AES AES AES AESrk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[160 ...163,164 ...167,168 ...171,172 ...175,176 ...179,180 ...183,184 ...187,188 ...191]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
AES AES AES AES AES AES AES AESrk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
c
1 Propagate constraints
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 52 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Message Expansion
rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[224 ...227,228 ...231,232 ...235,236 ...239,240 ...243,244 ...247,248 ...251,252 ...255]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
AES AES AES AES AES AES AES AESrk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[160 ...163,164 ...167,168 ...171,172 ...175,176 ...179,180 ...183,184 ...187,188 ...191]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
AES AES AES AES AES AES AES AESrk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
c
1 Propagate constraints
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 52 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Message Expansion
rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[224 ...227,228 ...231,232 ...235,236 ...239,240 ...243,244 ...247,248 ...251,252 ...255]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
AES AES AES AES AES AES AES AESrk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[160 ...163,164 ...167,168 ...171,172 ...175,176 ...179,180 ...183,184 ...187,188 ...191]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
AES AES AES AES AES AES AES AESrk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
c
1 Propagate constraints
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 52 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Message Expansion
rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[224 ...227,228 ...231,232 ...235,236 ...239,240 ...243,244 ...247,248 ...251,252 ...255]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
AES AES AES AES AES AES AES AESrk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[160 ...163,164 ...167,168 ...171,172 ...175,176 ...179,180 ...183,184 ...187,188 ...191]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
AES AES AES AES AES AES AES AESrk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
c
2 Guess values
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 52 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Message Expansion
rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[224 ...227,228 ...231,232 ...235,236 ...239,240 ...243,244 ...247,248 ...251,252 ...255]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
AES AES AES AES AES AES AES AESrk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]
LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[160 ...163,164 ...167,168 ...171,172 ...175,176 ...179,180 ...183,184 ...187,188 ...191]
LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
AES AES AES AES AES AES AES AESrk[128 ...131,132 ...135,136 ...139,140 ...143,144 ...147,148 ...151,152 ...155,156 ...159]
c
3 Compute the missing values; check coherence
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 52 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Appendix
Conditions on the message expansion of SHAvite-3512
Weak salts for SHAvite-3512
Description of BMW
Automaton Example
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 53 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-1 SHAvite-3512 (Peyrin)
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
cnt
cnt
cnt
⊕
⊕
⊕
I Take the zero counter;I Take the salt that sends zero to zero;I Use the zero message: all the subkeys are zero.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 54 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-1 SHAvite-3512 (Peyrin)
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
cnt
cnt
cnt
⊕
⊕
⊕
I Take the zero counter;I Take the salt that sends zero to zero;I Use the zero message: all the subkeys are zero.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 54 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-1 SHAvite-3512 (Peyrin)
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
cnt
cnt
cnt
⊕
⊕
⊕
I Take the zero counter;I Take the salt that sends zero to zero;I Use the zero message: all the subkeys are zero.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 54 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-1 SHAvite-3512 (Peyrin)
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
cnt
cnt
cnt
⊕
⊕
⊕
I Take the zero counter;I Take the salt that sends zero to zero;I Use the zero message: all the subkeys are zero.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 54 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-2 SHAvite-3512
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
⊕
⊕
cnt ⊕ 0f0
cnt ⊕ f00
⊕ cnt ⊕ 00f
I Cancel one counter in the middle;I Take the salt that sends zero to zero;I Use the zero subkey in the middle.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 55 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-2 SHAvite-3512
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
⊕
⊕
cnt ⊕ 0f0
cnt ⊕ f00
⊕ cnt ⊕ 00f
I Cancel one counter in the middle;I Take the salt that sends zero to zero;I Use the zero subkey in the middle.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 55 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-2 SHAvite-3512
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
⊕
⊕
cnt ⊕ 0f0
cnt ⊕ f00
⊕ cnt ⊕ 00f
I Cancel one counter in the middle;I Take the salt that sends zero to zero;I Use the zero subkey in the middle.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 55 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-2 SHAvite-3512
RK5 RK′5LFSR
AES (salt)RK4 RK′4
LFSRRK3 RK′3
LFSRAES (salt)
RK2 RK′2LFSR
RK1 RK′1LFSR
AES (salt)RK0 RK′0
⊕
⊕
cnt ⊕ 0f0
cnt ⊕ f00
⊕ cnt ⊕ 00f
I Cancel one counter in the middle;I Take the salt that sends zero to zero;I Use the zero subkey in the middle.
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 55 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Weak salt for Round-2 SHAvite-3512i RKi RK
′i rk00,i k
10,i k
20,i k
30,i k
01,i k
11,i k
21,i k
31,i
0 ? ? ? ? ? ? ? ? M1 ?F ? ? ? ? ? ? 0 12 0 ? ? ? ? 0 0 03 0 ? ? ? 0 0 0 0 24 0 ? 0 0 0 0 0 05 0 0F 0 0 0 0 0 0 36 0 0 0 0 0 0 0 07 0 0 0 0 0 0 0 0 48 0 0 0 0 0 0 0 09 0 0 0 0F 0 0 0 0 510 0 0 0 0 0 0 0 011 0 0 0 0 0 0 0 0 612 0 0 0 0 0 0 0 013 0 0 0 0 0 0 ?F ? 7
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 56 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Appendix
Conditions on the message expansion of SHAvite-3512
Weak salts for SHAvite-3512
Description of BMW
Automaton Example
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 57 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Blue Midnight Wish
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
I Wide pipe: each line is 16× 32 bitsI ARX: Addition, Rotations, Xors
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 58 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Blue Midnight Wish
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
The P permutation
I z0 = x5� x7� x10� x13� x14I z1 = x6� x8� x11� x14� x15I . . .
I y0 = z�10 ⊕ z�30 ⊕ z≪40 ⊕ z≪190I y1 = z�11 ⊕ z�21 ⊕ z≪81 ⊕ z≪231I . . .
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 58 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Blue Midnight Wish
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
The f1 function: FSR
I Q16 = s1(Q0)� s2(Q1)� . . .� s0(Q15)�AddElement(16)I Q17 = s1(Q1)� s2(Q2)� . . .� s0(Q16)�AddElement(17)I . . .
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 58 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Blue Midnight Wish
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
The AddElement function
I AddElement(16) = (M≪10 �M≪43 �M
≪1110 � K16)⊕H7
I AddElement(17) = (M≪21 �M≪54 �M
≪1211 � K17)⊕H8
I . . .
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 58 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Blue Midnight Wish
f0
f2
M
H
P Qa
f1
Qb
x y
AddElementH
The f2 function: XL =⊕23
i=16 Qi, XH =⊕31
i=16 Qi
I HH0 = (XH�5 ⊕Q�516 ⊕M0)� (XL⊕Q24 ⊕Q0)I . . .I HH8 = HH≪94 � (XH⊕Q24 ⊕M8)� (XL�8 ⊕Q23 ⊕Q8)
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 58 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Appendix
Conditions on the message expansion of SHAvite-3512
Weak salts for SHAvite-3512
Description of BMW
Automaton Example
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 59 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
-
Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example
Transition Automata
We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables
Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x
0start 11,1,1
0,0,00,0,11,1,0
1,0,0
1,0,10,1,00,1,1
∆ = 1110δ = 1010x = 0111
Fails
G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 60 / 49
IntroductionAttacks on Generalized Feistel schemesAnalysis of BMWConclusionAppendixConditions on the message expansion of SHAvite-3512Weak salts for SHAvite-3512Description of BMWAutomaton Example