Description of BLAKEResults
Conclusions
Differential and Invertibility Properties ofBLAKE
Jean-Philippe Aumasson1, Jian Guo2, Simon Knellwolf3,Krystian Matusiewicz4, Willi Meier3
1Nagravision SA, Cheseaux, Switzerland
2Nanyang Technological University, Singapore
3FHNW, Windisch, Switzerland
4Technical University of Denmark, Denmark
FSE 2010, 09 Feb 2010
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 1 / 27
Description of BLAKEResults
Conclusions
Talk Overview
1 Description of BLAKE
2 ResultsRound-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
3 Conclusions
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 2 / 27
Description of BLAKEResults
Conclusions
BLAKE Overview
Designed by Aumasson et al.
One of the 14 second round SHA-3 candidates
HAIFA structure
Local wide-pipe compression function
Ht−1
t M
Permutation
Ht
s s
keyed by M
BLAKE-32: 32-bit word, 512-bit state, 10 rounds, 256-bit digest
BLAKE-64: 64-bit word, 1024-bit state, 14 rounds, 512-bit digestJ.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 3 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 4 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 5 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 6 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 7 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 8 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 9 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 10 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 11 / 27
Description of BLAKEResults
Conclusions
BLAKE’s Permutation
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
1 round = 1 column step followed by 1 diagonal stepReuse the permutation of ChaCha stream cipher, based on Gtransform
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 12 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Main Results
Round-Reduced Near-Collisions up to 4 Rounds forBLAKE-32
5/6-Round Impossible Differentials for BLAKE-32/64
Improved Preimage Attack on 1.5-Round
More bounds
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 13 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Linearization for BLAKE-32
∆ = 0x88888888, invariant w.r.t. rotation by 4
Linearization: replace addition by xor
No-difference goes through ≫ 7
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 14 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Linearization - linearized G
∆ = 0x88888888, invariant w.r.t. rotation by 4
Linearization: replace addition by xor
No-difference goes through ≫ 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 15 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
4-Round Near Collisions for BLAKE-32
Rounds 6 - 9
1.5 rounds for free using message modification
Time Complexity: 242, with negligible memory
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 16 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Impossible Differentials
Miss-in-the-Middle:proof by contradiction that (α→ γ) can not occur,
αprob.1−−−−→ β 6= δ
prob.1←−−−− γ
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 17 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Probability 1 Differential - 1st
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
∆ = 0x800 . . . 00, prob = 1
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 18 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Probability 1 Differential - 2nd
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
∆ = 0x800 . . . 00, prob = 1
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 19 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Probability 1 Differential - 3rd
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
∆ = 0x800 . . . 00, prob = 1
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 20 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
5-round impossible differential for BLAKE-32
Apply miss-in-the-middle to BLAKE-32:
2.5 rounds−−−−−−−−→
prob.= 1
2.5 rounds←−−−−−−−−
prob.= 1
Start with ∆ = 0x800 . . .00 in v1 and M2
Differences after 2.5 rounds DO NOT match
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 21 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
6-round impossible differential for BLAKE-64
Apply miss-in-the-middle to BLAKE-64:
3 rounds−−−−−−−→prob.= 1
3 rounds←−−−−−−−prob.= 1
Start with ∆ = 0x800 . . .00 in v2 and M1
Differences after 3 rounds DO NOT match
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 22 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Inverting G
816
12 7
Mi ⊕ Kj Mj ⊕ Ki
a
b
c
d
a
b
c
d
Compute two words without knowing the message!
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 23 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Inverting the Permutation
From output, get 8 words of intermediate state for free.
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 24 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Inverting the Permutation
From output, get 8 words of intermediate state for free.
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
Determine rest state words in forward direction from input,followed by all message words.
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 24 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Inverting the Permutation
From output, get 8 words of intermediate state for free.
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
Determine rest state words in forward direction from input,followed by all message words.This applies to 1.5-round, but a bit more complicated ...
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 24 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
Inverting the Permutation
From output, get 8 words of intermediate state for free.
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
Determine rest state words in forward direction from input,followed by all message words.This applies to 1.5-round, but a bit more complicated ...
1 and 1.5-round are permutation of message
Preimage attacks on 1.5-round, in 2128/2256 forBLAKE-32/64, compared with 2192/2384 (Li & Xu, eprint2009/238)
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 24 / 27
Description of BLAKEResults
Conclusions
Round-Reduced Near-CollisionsImpossible DifferentialsInvertibility and Preimage AttacksMore Results
More Results
Large class of 2-round impossible differentials
Conjecture on maximum 5-round against the MitMpreimage attack. Refer to free-start (without Initialization)4.5-round attack by Wang-Ohta-Sakiyama at Asiacrypt2009 rump session
Collision in 2n/4 for the variant with same constants.
More bounds on probability of any differentialcharacteristics
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 25 / 27
Description of BLAKEResults
Conclusions
Results and Future Work
Results:
242 4-round near collisions
Impossible differentials for 5/6-rounds
2128/2256 preimages for 1.5-round BLAKE-32/64
More bounds ...
None of these threat the full BLAKE.
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 26 / 27
Description of BLAKEResults
Conclusions
Results and Future Work
Results:
242 4-round near collisions
Impossible differentials for 5/6-rounds
2128/2256 preimages for 1.5-round BLAKE-32/64
More bounds ...
None of these threat the full BLAKE.
Future Work:
Nonlinear connector for collision with more rounds?
Rotational Cryptanalysis? Too many constants to besuccessful?
More properties of G?
J.-P. Aumasson, J. Guo, S. Knellwolf, K. Matusiewicz, W. Meier Differential and Invertibility Properties of BLAKE 26 / 27
Top Related