Analysis of some SHA-3 candidates - Inria · 2020. 12. 13. · Introduction Attacks on Generalized...

Introduction Attacks on Generalized Feistel schemes Analysis of BMW Conclusion

Analysis of some SHA-3 candidates

Gaëtan Leurent

University of Luxembourg

May 4, 2011

G. Leurent (uni.lu) Analysis of some SHA-3 candidates May 4, 2011 1 / 49


An Ideal Hash Function: the Random Oracle

I Public Random OracleI The output can be used as a fingerprint of the document



An Ideal Hash Function: the Random Oracle

0x1d66ca77ab361c6f

I Public Random OracleI The output can be used as a fingerprint of the document



A Concrete Hash Function

I A public function with no structural property.I Cryptographic strength without any key!

I F : {0, 1}∗ → {0, 1}n

0x1d66ca77ab361c6fF



Security goals

Preimage attack

? 0xb58bff99F

Given F and H, find M s.t. F(M) = H.Ideal security: 2n.



Security goalsSecond-preimage attack

? F

F

0xf46cc4146=

Given F and M1, find M2 6= M1 s.t. F(M1) = F(M2).Ideal security: 2n.



Security goalsCollision attack

? F

? F?6=

Given F, find M1 6= M2 s.t. F(M1) = F(M2).Ideal security: 2n/2.



Hash function design

I Build a small compression function, and iterate.

I Cut the message in chunks M0, ...MkI Hi = f(Mi,H−1)I F(M) = Hk

f

M0

H0

f

M1

H1

f

M2

H2

f

M3

H3IV



Compression Function Attacks

Fist results usually target the compression function

I Because it’s easier: more degrees of freedomI Because good compression function imply good hash function

MD5 cryptanalysis

I 1993: Free-start collisions [den Boer and Bosselaers]I 1996: Semi-free-start collisions [Dobbertin]I 2005: Collisions [Wang et. al]I 2009: Rogue certificate [Stevens et. al]

Wang’s and Stevens’s attacks are based on the dBB path



Operations used

Two main categories of designs:

ARX designs

I Additions, Rotations, XorsI Inspired by MD/SHAI Lots of light roundsI Bit-level attackI Known attacks techniques,

but finding paths is hard

SBox designs

I SBoxes and Linear LayersI Inspired by the AESI Few heavy roundsI SBox-level attacksI New attacks techniques,e.g. rebound attack



Outline

IntroductionHash Functions

Attacks on Generalized Feistel schemesThe cancellation propertyApplication to SHAvite-3512Extension to 14 rounds with weak saltsOther results

Analysis of BMWSolving AX systemsApplication to BMWSummary



Outline






Generalized Feistel schemes

I Build a 4n-bit function out of an n-bit function:

S T U V

S T U VKi

F

Lesamnta structure(CAST-like)

VUTS

VUTSK′iKi

F F

SHAvite-3512 structure(RC6-like)

I Ideal: each Fi is an independent ideal function/permutationI In practice: Fi(x) = F(ki ⊕ x) with a fixed F



Cancellation Cryptanalysis

Main idea

Cancel the effect of non-linear componentsby using the same input pairs twice

I If round functions are related: Fi(x) = F(ki ⊕ x)

I Look for terms with Fi(u)⊕ Fj(u⊕ α)I Set α = ki ⊕ kjI Then Fj(u⊕ α) = F(kj ⊕ u⊕ ki ⊕ kj) = Fi(u)



The Cancellation Property

F F

I Full diffusion after4 rounds

I If y1 = y2 = y,the differencescancel out

I Use constraintson the state

i Si Ti Ui Vi

0 x - - -1 - x - -2 - y1 x - x→ y13 - z y1 x y1 → z4 x w z y′ x→ y2, z→ w

y′ = y1 ⊕ y2



The Cancellation Property

F F

I Full diffusion after4 rounds

I If y1 = y2 = y,the differencescancel out

I Use constraintson the state

i Si Ti Ui Vi

0 x - - -1 - x - -2 - y x - x→ y3 - z y x y→ z4 x w z - x→ y, z→ w



The Cancellation Property: Looking at the Values

We study values, starting at round 4:

i Si Ti Ui Vi

4 a b c d5 d a⊕ F4(b) b c⊕ F′4(d)6 c⊕ F′4(d) d⊕ F5(a⊕ F4(b)) a⊕ F4(b) b⊕ F′5(c⊕ F′4(d))7 c⊕ F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b)))

Round 7: F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b))).They cancel if: F5(a⊕ F4(b)) = k1,4 ⊕ k0,6



9-round Truncated Differential

i Si Ti Ui Vi

0 ? x2 ? x1 x - x2 x12 x1 x - - x1 → x23 - - x - x→ x14 - - - x5 x - - y x→ y6 y x - z y→ z7 z - x w x→ y, z→ w8 w z - ?9 ? - z ? z→ wFF ? x2 ? ?

Properties

I Using conditions on thestate, probability 1.

I The transitions x→ x1and x1 → x2 are known.

I Compute x from x2



Valuesi Xi/Yi

X0 b⊕ F3(c)⊕ F′1(c⊕ F2(d⊕ F′3(a)))Y0 d⊕ F′3(a)⊕ F1(a⊕ F′2(b⊕ F3(c)))X1 a⊕ F′2(b⊕ F3(c))Y1 c⊕ F2(d⊕ F′3(a))X2 d⊕ F′3(a)Y2 b⊕ F3(c)X3 cY3 aX4 bY4 dX5 a⊕ F4(b)Y5 c⊕ F′4(d)X6 d⊕ F5(a⊕ F4(b))Y6 b⊕ F′5(c⊕ F′4(d))X7 c⊕ F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b)))Y7 a⊕ F4(b)⊕ F′6(b⊕ F

′5(c⊕ F′4(d)))

X8 b⊕ F′5(c⊕ F′4(d))⊕ F7(c)Y8 d⊕ F5(a⊕ F4(b))⊕ F′7(a⊕ F4(b)⊕ F′6(b⊕ F

′5(c⊕ F′4(d))))

X9 a⊕ F4(b)⊕ F′6(b⊕ F′5(c⊕ F′4(d)))⊕ F8(b⊕ F′5(c⊕ F′4(d))⊕ F7(c))



Message Conditions

Round 7 F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b))).They cancel if: F5(a⊕ F4(b)) = k01,4 ⊕ k00,6

Round 9 F′6(b⊕ F′5(c⊕ F′4(d)))⊕ F8(b⊕ F′5(c⊕ F′4(d))⊕ F7(c)).They cancel if: F7(c) = k01,6 ⊕ k

00,8



9-round Attack

I Choose a, b, c, to satisfy the cancellation conditions.I Compute everything as a function of (a, b, c, d) := (S4, T4,U4,V4).

I Express the output as a function of dI T9 = η

I η = a⊕ F4(b)I T0 = F′1(F2(d⊕ α)⊕ β)⊕ γ

I α = F′3(a)I β = cI γ = b⊕ F3(c)

I For a target value H, set d = F−12(F′−11

(H⊕ η ⊕ γ

)⊕ β

)⊕ α

I This gives T0 ⊕ T9 = H: partial preimage



Application to SHAvite-3512

VUTS

VUTSK′iKi

F′ F

I 14 roundsI State is 4× 128 bitsI Davies-Meyer (message is the key)I Fi(x) = F(F(F(F(x⊕ k0i )⊕ k1i )⊕ k2i )⊕ k3i )I F is one AES round.I Key schedule: linear and AES rounds.

Problem

F uses several keys



Message Conditions: SHAvite-3512

Round 7 F′4(d)⊕ F6(d⊕ F5(a⊕ F4(b))).They cancel if: F5(a⊕ F4(b)) = k01,4 ⊕ k00,6and (k11,4, k

21,4, k

31,4) = (k

10,6, k

20,6, k

30,6).

Round 9 F′6(b⊕ F′5(c⊕ F′4(d)))⊕ F8(b⊕ F′5(c⊕ F′4(d))⊕ F7(c)).They cancel if: F7(c) = k01,6 ⊕ k

00,8

and (k11,6, k21,6, k

31,6) = (k

10,8, k

20,8, k

30,8).



Solving the Conditions

I We can build a chaining value satisfying the 6 conditionswith cost 296. see details

I Each chaining value can be used 2128 timesto fix 128 bits of the output.I Cost of finding a good message is amortized.

I Attacks on 9-round SHAvite-3512:I Free-start preimage with complexity 2384I Second-Preimage with complexity 2448.



Extension to 10 rounds

I We only use two cancellations: two conditions on the stateI We still have two degrees of freedom

I We change the variables:(u, z, v,w) := (T2, T3, T4, T5)

u, v degrees of freedom, z,w fixed by the cancellation conditions

H = z⊕ F2(u)⊕ F′0(u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))))⊕wF1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))) = u⊕ F′−10 (H⊕ z⊕ F2(u)⊕w)

I We have u on one side and v on the other side:we can solve with cost 264 by the birthday paradox (or TMTD)

I Attacks on 10-round SHAvite-3512



10-round Path

i Ti Vi

0 v⊕ F3(z)⊕ F′1(z⊕ F2(u)) u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z)))1 w⊕ F4(v)⊕ F′2(v⊕ F3(z)) z⊕ F2(u)2 u v⊕ F3(z)3 z w⊕ F4(v)4 v u⊕ F′3(V3)5 w z⊕ F′4(V4)6 V4 ⊕ F5(w) v⊕ F′5(V5)7 z⊕ F′4(V4)⊕ F6(V4 ⊕ F5(w)) w⊕ F′6(V6)8 V6 ⊕ F7(z) V4 ⊕ F5(w)⊕ F′7(V7)9 w⊕ F′6(V6)⊕ F8(V6 ⊕ F7(z)) z⊕ F

′8(V8)




I We only use two cancellations: two conditions on the stateI We still have two degrees of freedom

I We change the variables:(u, z, v,w) := (T2, T3, T4, T5)

u, v degrees of freedom, z,w fixed by the cancellation conditions

H = z⊕ F2(u)⊕ F′0(u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))))⊕wF1(w⊕ F4(v)⊕ F′2(v⊕ F3(z))) = u⊕ F′−10 (H⊕ z⊕ F2(u)⊕w)

I We have u on one side and v on the other side:we can solve with cost 264 by the birthday paradox (or TMTD)

I Attacks on 10-round SHAvite-3512




i Xi Yi

0 v⊕ F3(z)⊕ F′1(z⊕ F2(u)) u⊕ F1(w⊕ F4(v)⊕ F′2(v⊕ F3(z)))1 w⊕ F4(v)⊕ F′2(v⊕ F3(z)) z⊕ F2(u)2 u v⊕ F3(z)3 z w⊕ F4(v)4 v u⊕ F′3(Y3)5 w z⊕ F′4(Y4)6 Y4 ⊕ F5(w) v⊕ F′5(Y5)7 z⊕ F′4(Y4)⊕ F6(Y4 ⊕ F5(w)) w⊕ F′6(Y6)8 Y6 ⊕ F7(z) Y4 ⊕ F5(w)⊕ F′7(Y7)9 w⊕ F′6(Y6)⊕ F8(Y6 ⊕ F7(z)) z⊕ F

′8(Y8)

10 Y8 ⊕ F9(w) Y6 ⊕ F7(z)⊕ F′9(Y9)11 z⊕ F′8(Y8)⊕ F10(Y8 ⊕ F9(w)) w⊕ F′10(Y10)12 Y10 ⊕ F11(z) Y8 ⊕ F9(w)⊕ F′11(Y11)13 w⊕ F′10(Y10)⊕ F12(Y10 ⊕ F11(z)) z⊕ F′12(Y12)



14-round cancellation conditionsRound 7 F′4(Y4)⊕ F6(Y4 ⊕ F5(w)).

They cancel if: F5(w) = k01,4 ⊕ k00,6 and(k11,4, k

21,4, k

31,4) = (k

10,6, k

20,6, k

30,6).

Round 9 F′6(Y6)⊕ F8(Y6 ⊕ F7(z)).They cancel if: F7(z) = k01,6 ⊕ k

00,8 and

(k11,6, k21,6, k

31,6) = (k

10,8, k

20,8, k

30,8).

Round 11 F′8(Y8)⊕ F10(Y8 ⊕ F9(w)).They cancel if: F9(w) = k01,8 ⊕ k00,10 and(k11,8, k

21,8, k

31,8) = (k

10,10, k

20,10, k

30,10).

Since w is fixed: F−15 (k01,4 ⊕ k00,6) = F

−19 (k

01,8 ⊕ k00,10)

Round 13 F′10(Y10)⊕ F12(Y10 ⊕ F11(z)).They cancel if: F11(z) = k01,10 ⊕ k00,12 and(k11,10, k

21,10, k

31,10) = (k

10,12, k

20,12, k

30,12).

Since z is fixed: F−17 (k01,6 ⊕ k

00,8) = F

−111 (k

01,10 ⊕ k00,12)



14-round cancellation conditionsI 256-bit condition on the stateI 1792-bit condition on the expanded message

F5(w) = k01,4 ⊕ k00,6F7(z) = k01,6 ⊕ k

00,8

(k11,4, k21,4, k

31,4) = (k

10,6, k

20,6, k

30,6)

(k11,6, k21,6, k

31,6) = (k

10,8, k

20,8, k

30,8)

(k11,8, k21,8, k

31,8) = (k

10,10, k

20,10, k

30,10)

(k11,10, k21,10, k

31,10) = (k

10,12, k

20,12, k

30,12)

F−15 (k01,4 ⊕ k00,6) = F

−19 (k

01,8 ⊕ k00,10)

F−17 (k01,6 ⊕ k

00,8) = F

−111 (k

01,10 ⊕ k00,12)



Weak salts

I More conditions than inputs to the message expansion

I We can build a salt/cv pair satisfying the 14 conditionswith cost 1 (2288 solutions) see details

I Each chaining value can give 2128 solutionswith 128 bits of the output fixed.I Enough solutions for a full preimage.

I Attacks on 14-round SHAvite-3512 compression function:I Chosen salt free-start preimage with complexity 2384

(with 2128 memory)



Summary

F F

I Generic 9-round and 10-round attacks

I In SHAvite-3512 each round function use several keysI Use properties of the message expansion

I 14-round attack possible with lots of constraintsI Use weak salts



Results: SHAvite-3512

Comp. Fun. Hash Fun.

Attack Rounds Time Mem. Time Mem.

2nd Preimage 9 2384 - 2448 264

2nd Preimage 10 2448 - 2480 232

2nd Preimage 10 2416 264 2464 264

2nd Preimage 10 2384 2128 2448 2128

Collision1 14 2192 2128 N/APreimage1 14 2384 2128 N/APreimage1 14 2448 - N/A

1 Chosen salt attacks



Other ResultsI Attacks on reduced Lesamnta

FI 24 rounds out of 32: collision and preimage

I Previous attacks: 16 rounds

I Attacks on block ciphers

FI 20-round distinguisher

I 21-round key-recovery attack

I Previous attacks: 18-round distinguisherI Integral attack

I consider 2n/4 structures of 2n/4 plain-textsI one structure will have the cancellation property



Outline






Blue Midnight Wish

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

I Wide pipe: each line is 16 words (32 or 64 bits)

I Most of the diffusion happens in f1I ARX: Addition, Rotations, Xors see details



Solving AX Systems

Important Example

x⊕∆ = x� δ

I On average one solutionI Easy to solve because it’s a T-function.

I Guess LSB, check, and move to next bit

I How easy exactly?I Backtracking is exponential in the worst case:x⊕ 0x80000000 = x

I For random δ, ∆, most of the time the system is inconsistent



Transition AutomataWe use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables

Carry transitions for x⊕∆ = x� δ.

c ∆ δ x c’

0 0 0 0 00 0 0 1 00 0 1 0 -0 0 1 1 -0 1 0 0 -0 1 0 1 -0 1 1 0 00 1 1 1 1

c ∆ δ x c’

1 0 0 0 -1 0 0 1 -1 0 1 0 11 0 1 1 11 1 0 0 01 1 0 1 11 1 1 0 -1 1 1 1 -



Transition AutomataWe use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables

Carry transitions for x⊕∆ = x� δ. The edges are indexed by ∆, δ, x

0start 11,1,1

0,0,00,0,11,1,0

1,0,0

1,0,10,1,00,1,1

see example



Decision Automata

I Remove x from the transitionsI Convert the non-deterministic automata to deterministic.


0start 11,1,1

0,0,00,0,11,1,0

1,0,0

1,0,10,1,00,1,1

I Can decide whether a given ∆, δ is compatible.



Decision Automata


Decision automaton for x⊕∆ = x� δ. The edges are indexed by ∆, δ

0start 11,1

0,00,01,1

1,0

1,00,10,1




Decision Automata


Decision automaton for x⊕∆ = x� δ. The edges are indexed by ∆, δ

{0}start {0, 1} {1}1,1

0,0

0,0

1,01,1

0,1

1,0

0,1




Solving AX systems

Take an AX system with variables and parameters.e.g. x⊕∆ = x� δ

1 Compute carry transitions2 Build transition automaton3 Remove variables and compute equivalent deterministic automaton

I For each values of the parameters:I Test if system is coherent in linear timeI Count solutions in linear timeI Find a solution in linear time

Can also study properties of the systems.



Some PropertiesImportant Example

x⊕∆ = x� δ

I For this particular system, we can build very efficient expressions:

I Consistent iff

{∆0 = δ0∀i : ∆ i = 1 or δi ⊕∆ i+1 ⊕ δi+1 = 0

!((D^d)&1) && !(((((D^d)>>1)^d) & (~D)) >1 ^ (r&(~D|0x8000000))



Main Idea

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

I If we haveI a (near) collision in QaI a (near) collision in MI a (near) collision in the the first rounds of f1

this can be seen in the output:HH0 = (XH�5 ⊕Q�516 ⊕M0)� (XL⊕Q24 ⊕Q0)



Inside f0

M

H

P Qax y

I We want no difference in Qa, no difference in M

I Pick a random pair x/x′, compute y/y′ through P

I Solve the AX system:

M⊕H = x M⊕H′ = x′

y�H = Qa y′ �H′ = Qa

where H,H′,M,Qa are unknown, x, x′, y, y′ are given parameters



Inside f0

M

H

P Qax y

I We want no difference in Qa, no difference in M

I Pick a random pair x/x′, compute y/y′ through P

I Solve the AX system:

H⊕∆ = H� δ∆ = (x⊕ x′) δ = (y� y′)

where H,H′,M,Qa are unknown, x, x′, y, y′ are given parameters



Basic BMW Attack

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

1 Chose a random x, x′ so that x′ ⊕ x has a high weight

2 Compute y, y′

3 Solve H⊕∆ = H� δ.



Basic BMW Attack

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

I The analysis of the f0 function is the core of the attackI We use degrees of freedom in x, x′ to improve the attack

I First improvement: make some words of H inactiveI f1 is a FSR see detailsI AddElement(16) = (M≪10 �M

≪43 �M

≪1110 � K16)⊕H7



Inside f0

M

H

P Qax y

The P permutation

I �-Linear layerI z = M.x

I Word-wise operationsI yi = fi(zi) see details

I Hi is inactive iff xi, yi and zi are inactiveI Linear constraints

I We can have H7, H8, . . .H13 inactiveI This gives Q16, Q17, . . .Q22 inactive

I Reduce the x, x′ space by fixing x′ � xI When x′ � x 6= 0, x, x′ constrained by high Hamming distanceI When x′ � x = 0, x is free, and H is free



Using Collisions in AddElement

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

I Second improvement: allow differences in M,cancel M differences and H differences in AddElementI Can use degrees of freedom in the inactive H



Collisions in AddElementOur path

I differences in M13, M14, M15;I differences in H1 . . .H6, H10, H11 and H12.

AddElement(16) (M≪10 �M≪43 �M

≪1110 � K16)⊕H7


≪1211 � K17)⊕H8


≪1312 � K18)⊕H9


≪1413 � K19)⊕H10


≪1514 � K20)⊕H11

. . .

Just another AX systemI Use the degrees of freedom form the inactive xi’s



Summary of the attack

1 Select a difference x′ � x such thatselected words of x and y are inactive

2 Select a value for x so that x′ ⊕ x has a high weightI By extending the carriesI Increases the probability that the system is consistent.

3 Solve H⊕∆ = H� δ. If inconsistent, goto 1 .

4 Use degrees of freedom in H to make AddElement (near) collide.If impossible, goto 1 .

5 Randomize with remaining degrees of freedom until XH collides.



Output function

HH0 = (XH�5 ⊕ Q�516 ⊕ M0) � (XL ⊕ Q24 ⊕ Q0)HH1 = (XH�7 ⊕ Q�817 ⊕ M1) � (XL ⊕ Q25 ⊕ Q1)HH2 = (XH�5 ⊕ Q�518 ⊕ M2) � (XL ⊕ Q26 ⊕ Q2)HH3 = (XH�1 ⊕ Q�519 ⊕ M3) � (XL ⊕ Q27 ⊕ Q3)HH4 = (XH�3 ⊕ Q20 ⊕ M4) � (XL ⊕ Q28 ⊕ Q4)HH5 = (XH�6 ⊕ Q�621 ⊕ M5) � (XL ⊕ Q29 ⊕ Q5)HH6 = (XH�4 ⊕ Q�622 ⊕ M6) � (XL ⊕ Q30 ⊕ Q6)HH7 = (XH�11 ⊕ Q�223 ⊕ M7) � (XL ⊕ Q31 ⊕ Q7)HH8 = HH≪94 � (XH ⊕ Q24 ⊕ M8) � (XL�8 ⊕ Q23 ⊕ Q8)HH9 = HH≪105 � (XH ⊕ Q25 ⊕ M9) � (XL�6 ⊕ Q16 ⊕ Q9)HH10 = HH≪116 � (XH ⊕ Q26 ⊕ M10) � (XL

�6 ⊕ Q17 ⊕ Q10)HH11 = HH≪127 � (XH ⊕ Q27 ⊕ M11) � (XL�4 ⊕ Q18 ⊕ Q11)HH12 = HH≪130 � (XH ⊕ Q28 ⊕ M12) � (XL�3 ⊕ Q19 ⊕ Q12)HH13 = HH≪141 � (XH ⊕ Q29 ⊕ M13) � (XL�4 ⊕ Q20 ⊕ Q13)HH14 = HH≪152 � (XH ⊕ Q30 ⊕ M14) � (XL�7 ⊕ Q21 ⊕ Q14)HH15 = HH≪163 � (XH ⊕ Q31 ⊕ M15) � (XL�2 ⊕ Q22 ⊕ Q15)



Practical example

Chaining Value59dfd94b 30b036e3 44ad8a65 47461712 59dfd94b 30b036e2 bb52759b b8b9e8ed

6f56e9b4 425e2d65 40000003 94e62f58 90a9164c bda1d29a bffffffc 94e62f58

12c4bf76 17b18302 4f74ffd3 3ec30f93 12c4bf76 17b18302 b08b002c c13cf06c

8b0f9f9b 7071a4a5 28becf17 6954724f 74f06064 7071a4a5 28becf17 6954724f

Messagebd050fb4 c6925351 991aa15f 60327d4b bd050fb4 c6925351 991aa15f 60327d4b

0212e457 9feb065e d6ab8dac 7b52f8ca 0212e457 9feb065e d6ab8dac 7b52f8ca

2f8a9774 1f189302 2043dc85 7b0eac19 2f8a9774 1f189302 2043dc85 7b0eac19

08fe0408 01c2f910 19abe45b 00000000 08fe0408 01c6f910 e6541ba4 ffffffe0

Output70588aa3 62e38880 4b32cd23 7da56fd2 70588aa3 62e38880 4b32cd23 7da56fd1

54827a61 d78e6b5f 17cce172 0ae88e5a 54827a62 d78e6b5e f6942bb0 35a96499

232a8830 7f31780e f0865b01 28cb4150 232a8a30 7f31740e 2ad851f7 362f33fb

39ba3bd2 277e9d52 316a7411 c8dbc618 39ba3bd3 27829d53 d239cc6e 29aa1db7



Summary

I Tools to solve AX system

I Path avoiding most of the rotations in BMWI Using degrees of freedomI Making some rotations inactive

Results (BMW-256 compression function)

I Partial-collisionsI 300 chosen bits in 232 (generic: 2150)

I Near-collisions:I 400 bits in 232 (generic: 255)



Bibliography

Attacks on Hash Functions based on Generalized Feistel -Application to Reduced-Round Lesamnta and SHAvite-3512C. Bouillaguet, O. Dunkelman, P.-A. Fouque, G. Leurent [SAC ’10]

Cryptanalysis of the 10-Round Hash and Full Compression Functionof SHAvite-3512P. Gauravaram, G. Leurent, F. Mendel, M. Naya-Plasencia, T. Peyrin,C. Rechberger, M. Schläffer [Africacrypt ’10]

Practical Near-Collisions on the Compression Function of BMWG. Leurent, S. Thomsen [FSE ’11]


Conditions on the message expansion of SHAvite-3512 Weak salts for SHAvite-3512 Description of BMW Automaton Example

Appendix

Conditions on the message expansion of SHAvite-3512

Weak salts for SHAvite-3512

Description of BMW

Automaton Example



Appendix



Description of BMW

Automaton Example



Message Expansion

rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]

LFSR2: rk[i]=rk[i−32]⊕rk[i−7]rk[224 ...227,228 ...231,232 ...235,236 ...239,240 ...243,244 ...247,248 ...251,252 ...255]

LFSR1: rk[i]=tk[i−32]⊕rk[i−4]tk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]

AES AES AES AES AES AES AES AESrk[192 ...195,196 ...199,200 ...203,204 ...207,208 ...211,212 ...215,216 ...219,220 ...223]




c

1 Propagate constraints



Message Expansion

rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]







c

2 Guess values



Message Expansion

rk[256 ...259,260 ...263,264 ...267,268 ...271,272 ...275,276 ...279,280 ...283,284 ...287]







c

3 Compute the missing values; check coherence



Appendix



Description of BMW

Automaton Example



Weak salt for Round-1 SHAvite-3512 (Peyrin)

RK5 RK′5LFSR

AES (salt)RK4 RK′4

LFSRRK3 RK′3

LFSRAES (salt)

RK2 RK′2LFSR

RK1 RK′1LFSR


cnt

cnt

cnt

⊕

⊕

⊕

I Take the zero counter;I Take the salt that sends zero to zero;I Use the zero message: all the subkeys are zero.



Weak salt for Round-2 SHAvite-3512

RK5 RK′5LFSR


LFSRRK3 RK′3

LFSRAES (salt)

RK2 RK′2LFSR

RK1 RK′1LFSR


⊕

⊕

cnt ⊕ 0f0

cnt ⊕ f00

⊕ cnt ⊕ 00f

I Cancel one counter in the middle;I Take the salt that sends zero to zero;I Use the zero subkey in the middle.



Weak salt for Round-2 SHAvite-3512i RKi RK

′i rk00,i k

10,i k

20,i k

30,i k

01,i k

11,i k

21,i k

31,i

0 ? ? ? ? ? ? ? ? M1 ?F ? ? ? ? ? ? 0 12 0 ? ? ? ? 0 0 03 0 ? ? ? 0 0 0 0 24 0 ? 0 0 0 0 0 05 0 0F 0 0 0 0 0 0 36 0 0 0 0 0 0 0 07 0 0 0 0 0 0 0 0 48 0 0 0 0 0 0 0 09 0 0 0 0F 0 0 0 0 510 0 0 0 0 0 0 0 011 0 0 0 0 0 0 0 0 612 0 0 0 0 0 0 0 013 0 0 0 0 0 0 ?F ? 7



Appendix



Description of BMW

Automaton Example



Blue Midnight Wish

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

I Wide pipe: each line is 16× 32 bitsI ARX: Addition, Rotations, Xors



Blue Midnight Wish

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

The P permutation

I z0 = x5� x7� x10� x13� x14I z1 = x6� x8� x11� x14� x15I . . .

I y0 = z�10 ⊕ z�30 ⊕ z≪40 ⊕ z≪190I y1 = z�11 ⊕ z�21 ⊕ z≪81 ⊕ z≪231I . . .



Blue Midnight Wish

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

The f1 function: FSR

I Q16 = s1(Q0)� s2(Q1)� . . .� s0(Q15)�AddElement(16)I Q17 = s1(Q1)� s2(Q2)� . . .� s0(Q16)�AddElement(17)I . . .



Blue Midnight Wish

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

The AddElement function

I AddElement(16) = (M≪10 �M≪43 �M

≪1110 � K16)⊕H7

I AddElement(17) = (M≪21 �M≪54 �M

≪1211 � K17)⊕H8

I . . .



Blue Midnight Wish

f0

f2

M

H

P Qa

f1

Qb

x y

AddElementH

The f2 function: XL =⊕23

i=16 Qi, XH =⊕31

i=16 Qi

I HH0 = (XH�5 ⊕Q�516 ⊕M0)� (XL⊕Q24 ⊕Q0)I . . .I HH8 = HH≪94 � (XH⊕Q24 ⊕M8)� (XL�8 ⊕Q23 ⊕Q8)



Appendix



Description of BMW

Automaton Example



Transition Automata

We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables


0start 11,1,1

0,0,00,0,11,1,0

1,0,0

1,0,10,1,00,1,1

∆ = 1110δ = 1010x = 0111

Fails



Transition Automata

We use automata to study AX systems: [Mouha et. al]I States represent the carriesI Transitions are labeled with the variables


0start 11,1,1

0,0,00,0,11,1,0

1,0,0

1,0,10,1,00,1,1

∆ = 1110δ = 1010x = 0111

Fails


IntroductionAttacks on Generalized Feistel schemesAnalysis of BMWConclusionAppendixConditions on the message expansion of SHAvite-3512Weak salts for SHAvite-3512Description of BMWAutomaton Example

Analysis of some SHA-3 candidates - Inria · 2020. 12. 13. · Introduction Attacks on Generalized...

Documents

Transcript of Analysis of some SHA-3 candidates - Inria · 2020. 12. 13. · Introduction Attacks on Generalized...