slides

Transcription

slides

A history of stream-oriented
hashing and the trail
backtracking attack
Joan Daemen
STMicroelectronics
Partially based on joint work with
Guido Bertoni, Michaël Peeters* and Gilles Van Assche
*NXP Semiconductors
STMicroelectronics
Outline
Cellular automata in cryptography
Early CA-based design efforts
CELLHASH
SUBTERRANEAN
STEPRIGHTUP and PANAMA
Trail Backtracking
RADIOGATÚN
Grindahl
STVL Summer Course 2008
2
Cellular Automata in cryptography
• CA guru Stephen Wolfram at Crypto ’85:
• Stream cipher: Pseudorandom generation with CA
• Crypto guru Ivan Damgård at Crypto ’89
• Hash function: Compression function with CA
3
CA Rule 30:
ai = ai −1 ⊕ (ai ai +1 == 00)
ai-1 ai ai+1
ai
4
5
Outline
9 Cellular automata in cryptography
Early CA-based design efforts
CELLHASH
SUBTERRANEAN
Trail Backtracking
RADIOGATÚN
Grindahl
6
CA Rule 45 (γ ): ai = ai −1 ⊕ (ai ai +1 == 01)
• ’89-’90: cycle length hot issue in stream ciphers
• First experiment: determine cycle distributions
• all rules with 3-neighborhood
• lengths between 11 and 32
• Observation:
• rule 45, odd length: cycles as if random permutation
• invertible!
• Stream cipher idea:
• take odd length and ...
• use γ instead of 30
7
Other CA rules
• ’91: breakdown of CA crypto:
• Eurocrypt ’91: Meier-Staffelbach break Wolfram’s PRG
• Asiacrypt ’91: I break Damgård’s hash function
• Problem: lack of diffusion ... and even worse for γ
• Search for invertible CA rules of neighborhood size 4
and 5:
• complementing landscape: similar to γ but even worse
• linear rules: e.g. ai = ai – 1 ⊕ ai ⊕ ai+1 not suited
• Some enigmatic rules: excellent diffusion
8
Patching the stream cipher
• Enigmatic rules
• invertible when length is co-prime to 6
• γ followed by ai = ai – 1 ⊕ ai ⊕ ai+1
• ... and variants
• Stream cipher proposal (WIC ‘91):
• Introduce linear CA rule for diffusion: θ
• use θ ° γ instead of γ
• Output distant bits
9
Patching the hash function
• Replace CA by engine with better diffusion
• Diffusion of θ ° γ grows only linearly
• Add bit transposition π: ai = az*i mod length
• Disperses neighboring bits
• Not a CA rule
• π ° θ ° γ leads to exponential diffusion
• No longer CA
• “Wide Trail”
10
Differential propagation properties of γ
• A differential (a’,b’) imposes w(a’) linear conditions on
the absolute value of the input a
• w(a’) is called the restriction weight of a’
= Hamming weight of a’ + number of strings 001 in a’
• Differential probability: DP(a’,b’)
• DP(a’,b’) = 2 –
w(a’)
• so only depends on a’ for all b’with DP(a’,b’) > 0
• Given a’, set of b’with DP(a’,b’) > 0 form affine space
• Can be described with an offset and a basis
11
Correlation propagation properties of γ
• Input-output correlation: corr(v, u)
• |corr(v, u)| = 2 – w’(u) with
• w’(u) correlation weight of u
n
= For each string of type 01 0 in u: n if n is even and n+1
otherwise
• so only depends on u for all v with corr(v, u) > 0
• Given u, set of v with corr(v, u) > 0 form an affine space
• Can be described with an offset and a basis
12
RIPE (’89)
• EC project in the RACE framework
• open call for cryptographic primitives
• symmetric crypto: hash functions only
• evaluation by consortia members
• from academia and industry
• Several submissions:
• Merkle:
• Rivest:
• Schnorr:
Snefru,
MD4 and later MD5
FFT-Hash I
13
Outline
9 Early CA-based design efforts
CELLHASH
SUBTERRANEAN
Trail Backtracking
RADIOGATÚN
Grindahl
14
Cellhash: structure
• Iterated block cipher:
• inspired by compression function of MD4:
• digest is encryption of fixed IV = 00...0 with message as key
• block length: 257 bits
• Round function (Mill):
• π ° θ ° γ alternated with message injection σ
• Due to π: unsuited for software
• # rounds:
• # 32-bit blocks in padded message m ( ≥ 8)
• Message expansion (Belt): simple shift register
15
Cellhash operation
m7
m6
m5
m4 m3
IV = 0
m2
m1
m0
m1
m0
ml-1
belt
mi
mill
m6
m5
m4
m3 m2
Digest
16
Cellhash distinguishing features
• Does not follow Merkle-Damgård:
• “fixing input length makes design of collision-resistant
compression function easier”
• no collision-resistant FIL compression function (like FFT-Hash)
• no MD-strengthening
• Streaming way of operation:
• Round function cryptographically weak as such, but ...
• strength expected from iterated application
• similar to rounds in block ciphers, steps in MD4, Snefru, ...
• Invertible and no feed-forward loop (Davies-Meyer):
• (2nd) pre-image: meet-in-the-middle: 2n/2 instead of 2n
• Large chaining value: 257 bits instead of usual 128
17
April 1, ’92
18
Beunhash
m7
m6
m5
m4 m3
IV = 0
m2
m1
m0
m1
m0
ml-1
mi
mill
m6
m5
m4
m3
m2
Digest
= Cellhash... without weak collisions ;-)
19
Outline
9 CELLHASH
SUBTERRANEAN
Trail Backtracking
RADIOGATÚN
Grindahl
20
Subterranean (’91)
0
0
0
0
0
IV = 0
0
0
0
0
0
0
0
0
0
0
mi
0
0
zi
21
Subterranean features
• Inherits features of Cellhash
• Finding state from output only = breaking stream cipher
• Performance:
• Mill/input ratio = 8
• workload per input bit: about 32 XOR + 8 AND
• Mill/output ratio = 16
• workload per output bit: about 64 XOR + 16 AND
• Fixed cost: 8 round
• ASIC implementation:
• Few gates but ...
• long wires: 87 % of area!
22
Status of Cellhash/Subterranean today
• Cellhash theoretical weaknesses:
• Length-extension: trivial to do
• (2nd) pre-image attack: about 2128,5 calls (< 2257 for RO )
• Subterranean:
• Length-extension problem solved
• No attacks found with complexity below 2128 calls to round function
• Structure appears to be sound
• Only cryptanalysis paper known to me:
• pre-image attack by Donghoon Chang at
http://eprint.iacr.org/2006/412
• Meet-in-the-middle applied to pre-image finding
23
Boognish (’92-’93)
• First attempt of translating Subterranean to software
• Word-oriented: 32-bit words
• Mill: 5 words
• γ, θ and belt injection σ: bit-slice
• π: rotations within the words
• Belt: shift register
• 1 word wide
• 24 words long
• Mill/input ratio: 5
24
Boognish
operation
• Failure:
Mill too
small
25
Outline
9 CELLHASH
9 SUBTERRANEAN
Trail Backtracking
RADIOGATÚN
Grindahl
26
StepRightUp (’94) and Panama (’98)
•
•
•
“Subterranean for Software”: Stream and hash
StepRightUp never published but appeared in thesis
Panama: StepRightUp with very small tweak
• Joint work with Craig Clapp
• Published at FSE ’98
•
Belt: linear feedback shift register
• 8 words wide
• 32 words long
•
Characteristics:
•
•
•
•
Mill/input ratio ≈ 2
Huge mill and belt
Feedback from Mill to Belt in pull rounds
Security claim: hermetic ≈ behave as a random oracle
27
Panama operation
push rounds:
p
0
31
ρ
a
blank rounds
pull rounds:
0
31
ρ
a
z
28
Panama Mill function
a9
a10 a11 a12 a13 a14 a15 a16
a0
a1
a2
a3
a4
a5
a6
a7
a8
γ
4
28
21
15
10
6
3
1
0
8
24
9
27
14
2
23
13
π
θ
A9 A10 A11 A12 A13 A14 A15 A16 A0
A1
A2
A3
A4
A5
A6
A7
A8
29
Outline
9 CELLHASH
9 SUBTERRANEAN
9 STEPRIGHTUP and PANAMA
Trail Backtracking
RADIOGATÚN
Grindahl
30
Trail backtracking
• How can the security of these functions be
evaluated?
• different from block-oriented hash functions that
have strong, block-cipher like compression function
• Trail backtracking:
• An generic attack method for searching collision in
stream-oriented hash functions
• Deals with counting number of conditions that must
be solved along a trail:
• ... solved algebraically or by trial-and-error
31
S0
Names, Symbols etc
p0
F
T0
• H: iterated hash function
• pi blocks of the input message
of l bits
• R: round function
• F “adds” the input block to the
state S
• Si state at round i
Si+1 =R(Ti)
• Size of the state larger than l
R
S1
p1
F
T1
R
Blank
rounds
…
R
…
R
z0
32
Round Differential
• Differential over round i (t’i ,s’i+1)
• Differential Probability DP as the
proportion of the state pairs
Ti,Ti+t’i such that
R(Ti ) ⊕ R(Ti ⊕ ti′) = si′+1
• A differential over a round is
possible if the DP>0
s’i
p’i
F
t’i
R
s’i+1
33
Round Differential (cont’d)
• A differential (t’i,s’i+1) imposes a set of conditions on the
input to the nonlinear mapping
• A right pair satisfies these conditions
• The probability of a single round can be expressed as
DP ≈ 2
− wr ( ti′ , si′+1 )
• wr is the restriction weight: number of conditions on t to
be satisfied
34
Collision Trails
• A trail Q is defined as the sequence of difference
triplets:
Q : (( s0′ , p0′ , t0′ ), ( s1′, p1′, t1′ )...sr′ )
r −1
DP(Q) ≈ 2
− wr ( Q )
=2
− ∑ wr ( ti′ , si′+1 )
i =0
• ... assuming independence of round differentials
• A differential trail that starts and ends with zero
differences is a collision trail
35
Counting right pairs
• Fix a differential trail of r rounds
• Take N random input pairs entering first round
• Every pair that gives s’1=R(t’0 ) if s’1 is in the
trail, the pair is a right pair
• Number of pairs in output of first round is:
− wr ( t 0′ , s1′ )
N2
36
Increase/Decrease in the number of
pairs
• Depending on the relation between the input l
and the weight of the round differential
• l<wr the number of pairs decrease
• l>wr the number of pairs increase
37
Excess Weight
• The number of right pairs entering round g is
g −1
N2
gl − ∑ wr ( ti′ , si′+1 )
i =0
• We define We as the excess weight
N2
−We ( g −1)
g
We ( g ) = ∑ wr (t ′j , s′j +1 ) − l
j =0
38
Determining the backtracking cost
• There are two interesting rounds
• The crowded: the round where the number of
pairs is maximum, thus the We is minimum
• The lonesome: minimum number of pairs, We
reaches the maximum
• From these two rounds we can derive:
• The amount of pairs N pairs required to find a
collision
• The workload of the attack
39
Determining the backtracking cost
• At the output of every round there shall be at
least on pair
N ≥ max 2
l +We ( h )
h
=2
l + max h We ( h )
• When no conditions are algebraically solved,
workload can be approximated by the number of
pairs entering the crowded round
max N 2
g
−We ( g −1)
= N2
− min We ( g −1)
g
40
Backtracking cost
max
2
0 , g ,h≤ g ≤ h < r
(We ( h ) −We ( g −1)) + l
max (We (h) − We ( g − 1)) + l
0, g ,h≤ g ≤ h< r
41
Collisions in Panama
•
Belt collisions
Input
Buffer
• Atom
• Rijmen et al.
• Our attack
•
Mill injection
• Five sub-collisions treated
independently
•
Discussion
• Both attacks exploit symmetry
• but that is not THE problem
• Mill/input ratio too low!
• 8 words of freedom per round
for the propagation in the 17word mill
• Trails with negligible
backtracking cost/depth
42
Fixing Panama
• Mill/Input ratio ↑: reduce input size... but also hashing
speed :-(
• Make sub-collisions overlap
• more taps in belt LFSR?
• more feed-forward from Belt to Mill?
• But: Panama stream cipher is still unbroken today!
• Small Mill/output ratio appears to be no problem
• Maybe including feedback from Mill to Belt (also in Push
mode) will help?
43
Fixing Panama (cont’d)
• Final correction attack:
•
•
•
•
•
∀ M, M*, find X, X* with H(M X)=H(M* X*)
X’ = X ⊕ X* fully determined by M and M* by belt linearity
find a trail in Mill such that it results in a collision
small Mill/input ratio gives a small backtracking cost, ...
independent of what the belt looks like!
• So:
• Reduce input size
• Include feedback from Mill to Belt
• Simplify Belt
• Result is RADIOGATÚN (Bertoni, Daemen, Peeters, Van Assche)
44
Outline
9 CELLHASH
9 SUBTERRANEAN
9 Trail Backtracking
RADIOGATÚN
Grindahl
45
RadioGatún
46
Discussion
• Trail backtracking cost is influenced by the
smaller input (from 8 to 3)
• Less degrees of freedom
• Increase wr – l, and so the backtracking cost
• Increase the depth of the backtracking: number of
rounds over which equations must be transferred
to input bits
• There is still work
• proving lower bounds for backtracking cost
• investigating dependence of round differentials
47
Outline
9 CELLHASH
9 SUBTERRANEAN
9 Trail Backtracking
9 RADIOGATÚN
Grindahl
48
Grindahl
• Stream-oriented hash function proposed at
FSE2007 by Knudsen, Rechberger and
Thomsen
• Concatenate-permute-truncate
• The permutation is based on Rijndael building
blocks
• Two variants: 256 and 512
• Difference: size internal state, shifts and digest
49
Grindahl iteration
Concatenate
AddConstant
SubBytes
ShiftRows
MixColumns
Truncate
50
Use of truncated differences
• Presented by Peyrin at ASIACRYPT2007
• Use a bit to represent if there is a difference
or not in a byte of the state
• Attack can make abstraction of effect of
SubBytes and AddConstant
• Propagation through MixColumns is the
determining part
51
Truncated differentials of MixColumns
• # active bytes at input and at output ≥ 5
• Approx Probabilities (log2):
# active bytes at input
# active bytes in output
0
0
1
2
3
4
1
0
-
2
-24
3
-16
-16
4
-8
-8
-8
0
0
0
0
52
Spreading of
Differences in
3 Rounds
0
0
1
2
3
4
5
6
7
8
9
1
11
12
X
X
0
1
0
2
3
X
X
1
X
2
X
3
X
0
0
X
1
X
1
X
X
4
5
6
7
8
9
10
X
X
X
X
X
X
X
X
X
2
3
4
5
6
7
8
9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
2
12
X
2
3
11
X
3
Differences
before the
application of
MixColumns
10
X
X
X
X
X
X
10
X
X
11
12
X
X
X
X
X
53
Peyrin’s attack
• Two trails from truncated difference with all
bytes active to zero-difference,
• Q1: 4 rounds with p = 2– 312
• Q2: 8 rounds with p = 2– 440
• Using degrees of freedom of intermediate
inputs, it turns out that the Q2 is better than
Q1 and that a collision can be found in 2112
calls to the round function
• This can be modeled as an instance of
(truncated) trail backtracking
54
Feature worth considering
1) Invertible round function
2) Streaming-oriented hashing (with blank rounds at end)
•
•
Trail backtracking as reference attack
Ratio Input size/Mill size shall not be too large
3) Symmetry and parallelism
4) Gradual output extraction and variable-length output
•
Reference: Sponge Functions
5) Belt-and-Mill construction
•
Belt without feedback from Mill is useless
55

slides

Transcription

Similar documents

The Supply Pond and Queach Preserves

Trail of Tears (Robert Lindneux in 1942)

Southtowne Trail - PATH Foundation

September 25, 2010 10AM-1PM - Spring Mill Fire Company #1

office - Nightwood Theatre

Ribbon Cutting Ceremony - Great Rivers United Way

5K Trail Blazer - Waasegiizhig Nanaandawe`Iyewigamig Health

lancaster - Mill Bridge Village Camp Resort

SSTF - TUHAYE.mxd - South Summit Trails Foundation

Rannel`s Kettle Run Nature Preserve