Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Outline
Improved Analysis of ECHO-256
Jérémy Jean1 María Naya-Plasencia2 Martin Schläffer3
1École Normale Supérieure, France
2FHNW, Windisch, Switzerland
3IAIK, Graz University of Technology, Austria
SAC’2011 – August 11, 2011
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 1/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Outline
Outline of the talk
OutlinePrevious cryptanalysisDescription of ECHO-256Collision attack on the 5-round hash functionDistinguisher on the 7-round compression functionConclusion
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 2/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Cryptanalysis
Previous cryptanalysis of ECHO-256
Hash function
Rounds Time Memory Type Reference4/8 264 264 collision new (Extended Version)5/8 2112 285.3 collision new
Compression function
Rounds Time Memory Type Reference3/8 264 232 free-start collision [Peyrin-C10]3/8 296 232 semi-free-start collision [Peyrin-C10]4/8 296 232 distinguisher [Peyrin-C10]4/8 236 216 distinguisher [JeanFouque-FSE11]4/8 252 216 semi-free-start collision [JeanFouque-FSE11]6/8 2160 2128 collision, chosen salt new (Extended Version)6/8 2193 2128 collision new7/8 2160 2128 distinguisher, chosen salt new (Extended Version)7/8 2193 2128 distinguisher new
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 3/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Description of ECHO-256
Description of the hash function
ECHO-256
Submitted to SHA-3 by Gilbert et al.Merkle-Damgård constructionHAIFA design (counter & salt)2048-bit internal state as a 4× 4 matrix of AES states8-round AES-based permutation : BSB, BSR, BMCOutput transformation : compress and truncate
BSB
0123
BSR
01
23
BMC
2 rounds AES AES MixColumns
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 4/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Description of ECHO-256
Alternative view
Breaking down to the AES-state level of operationsSuperSBox = SB – MC – SB [LMRRS-A09, GP-FSE10]SuperMixColumns = MC – BMC [Schläffer-SAC10]
BSB BSR BMC
SB SR MC SB SR MC BSR BMC
1 round of AES 1 round of AES
SR SB MC SB SR BSR MC BMC
SuperSBox SuperMixColumns
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 5/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Description of ECHO-256
Alternative view
Breaking down to the AES-state level of operationsSuperSBox = SB – MC – SB [LMRRS-A09, GP-FSE10]SuperMixColumns = MC – BMC [Schläffer-SAC10]
BSB BSR BMC
SB SR MC SB SR MC BSR BMC
1 round of AES 1 round of AES
SR SB MC SB SR BSR MC BMC
SuperSBox SuperMixColumns
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 5/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Description of ECHO-256
Alternative view
Breaking down to the AES-state level of operationsSuperSBox = SB – MC – SB [LMRRS-A09, GP-FSE10]SuperMixColumns = MC – BMC [Schläffer-SAC10]
BSB BSR BMC
SB SR MC SB SR MC BSR BMC
1 round of AES 1 round of AES
SR SB MC SB SR BSR MC BMC
SuperSBox SuperMixColumns
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 5/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Description of ECHO-256
Super Transformations
SuperSBoxIntroduced by Rijmen and Daemen in 2006Used in [LMRRS-A09, GP-FSE10]SuperSBox = SB –MC – SBWorks on 32-bit AES-columnsP(∆IN → ∆OUT exists) ≈ 1/2
SuperMixColumns
Super transformation introduced in [Schläffer-SAC10]SuperMixColumns = MC – BigMCWorks on 16× 1 byte-slicesMSMC = M⊗M (M from MixColumns)
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 6/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Description of ECHO-256
Super Transformations
SuperSBoxIntroduced by Rijmen and Daemen in 2006Used in [LMRRS-A09, GP-FSE10]SuperSBox = SB –MC – SBWorks on 32-bit AES-columnsP(∆IN → ∆OUT exists) ≈ 1/2
SuperMixColumns
Super transformation introduced in [Schläffer-SAC10]SuperMixColumns = MC – BigMCWorks on 16× 1 byte-slicesMSMC = M⊗M (M from MixColumns)
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 6/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Description of ECHO-256
Rebound technique [MRST-FSE09]
For a given truncated differential pathSet differences and values around a non-linear layer using its
differential properties with amortized complexity one
NL = AES SBox or SuperSBox
NLL LDifferencesDifferences
Diff. prop.
Values Values
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 7/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
5-round Hash Function Collision Attack
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 8/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
5-round Hash Function Collision Attack
Truncated Differential Path
H M S1 S2 S3 S4 S5 S6 S7 S8
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S8 S9 S10 S11 S12 S13 S14 S15 S16
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S16 S17 S18 S19 S20 S21 S22 S23 S24
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S24 S25 S26 S27 S28 S29 S30 S31 S32
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S32 S33 S34 S35 S36 S37 S38 S39 S40
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
BigFinal Trunc
Almost the same path as in [Schläffer-SAC10]Improved attack to get collisions instead of distinguisherCorrected attack to find solutions also in the hash function
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 9/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
5-round Hash Function Collision Attack
How to get Collisions
S32 S33 S34 S35 S36 S37 S38 S39 S40ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
BigFinal T
runc
For some differences a, b, c , d of the first column slice (16x1) ofstate S37, we get a collision in the first column slice at the output(8 bytes) if
Mtrunc ·MSMC · [ a 0 0 0 b 0 0 0 c 0 0 0 d 0 0 0 ]T =
4 6 2 2 6 5 3 32 3 1 1 4 6 2 22 3 1 1 2 3 1 16 5 3 3 2 3 1 1
T
︸ ︷︷ ︸Mcomb
· [ a b c d ]T = [ 0 0 0 0 0 0 0 0 ]T
rank(Mcomb) = 2 =⇒ P(one slice) = 2−16.So : P(collision) = 2−16×4 = 2−64.
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 10/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
5-round Hash Function Collision Attack
Problem of the Previous Attack
SuperMixColumns Problem [JeanFouque-FSE11]
For given differences in all bytes and given values in bytesof state S14 and S16, a solution exists only with probability 2−128.
S14 S15 S16
MixCol
umns
Big
MixCol
umns
SolutionSolved for compression function attacks [JeanFouque-FSE11]More difficult for the hash function (larger constraints)
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 11/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
5-round Hash Function Collision Attack
Outline of the AttackH M S1 S2 S3 S4 S5 S6 S7 S8
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S8 S9 S10 S11 S12 S13 S14 S15 S16
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S16 S17 S18 S19 S20 S21 S22 S23 S24
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S24 S25 S26 S27 S28 S29 S30 S31 S32
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
S32 S33 S34 S35 S36 S37 S38 S39 S40
ShiftRow
s
SubBytes
MixColum
ns
SubBytes
ShiftRow
s
BigShiftRow
s
MixColum
ns
BigMixColum
ns
BigFinal Trunc
1 1st inbound2 1st outbound3 2nd inbound4 1st merge inbound ⇔
5 merge chaining ⇔6 2nd merge inbound7 3nd merge inbound8 2nd outbound to get collision
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 12/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
5-round Hash Function Collision Attack
Improvements Compared to Previous Attacks
1 1st inbound2 1st outbound3 2nd inbound4 1st merge inbound ⇔
5 merge chaining ⇔6 2nd merge inbound7 3nd merge inbound8 2nd outbound to get collision
inbound/outbound phases are largely the same as in previousattacks on ECHOnew : separate merging phase into 3 parts :
solve first 128-bit condition using birthday effect and bygenerating enough solutions for the 2nd inbound ( )solve second 128-bit condition by choosing gray values ( )solve final 192-bit condition by choosing white values ( )
drawback : all phases have time/memory complexities above264
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 13/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
5-round Hash Function Collision Attack
Complexity Analysis
1 1st inboundtime 296, memory 264 to get 296 solutions
2 1st outboundtime 296, memory 264 to get 1 solution
3 2nd inboundtime 264, memory 264 to get 232 × 232 × 232 × 264 = 2160
solutions4 1st merge inbound ⇔
time 296, memory 264 to get 232 solutions5 merge chaining ⇔
time 2112, memory 248 to get 1 solution6 2nd merge inbound
time 264, memory 264 to get 1 solution7 3nd merge inbound
time 285.3, memory 285.3 to get 264 solutions8 2nd outbound to get collision
time 264, memory 1 to get 1 collisionSAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 14/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
7-round CF Attack
7-round Compression Function Attack
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 15/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
7-round CF Attack
Truncated Differential PathH M S1 S2 S3 S4 S5 S6 S7 S8
BIG BIGSR SB MC SR SB MCSR MC
S8 S9 S10 S11 S12 S13 S14 S15 S16
BIG BIGSR SB MC SR SB MCSR MC
S16 S17 S18 S19 S20 S21 S22 S23 S24
BIG BIGSR SB MC SR SB MCSR MC
S24 S25 S26 S27 S28 S29 S30 S31 S32
BIG BIGSR SB MC SR SB MCSR MC
S32 S33 S34 S35 S36 S37 S38 S39 S40
BIG BIGSR SB MC SR SB MCSR MC
S40 S41 S42 S43 S44 S45 S46 S47 S48
BIG BIGSR SB MC SR SB MCSR MC
S48 S49 S50 S51 S52 S53 S54 S55 S56
BIG BIGSR SB MC SR SB MC BFSR MC
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 16/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
7-round CF Attack
Finding solutions for the path
Finding a right pair1 Solutions for S6 to S23 (stop-in-the-middle
[NayaPlasencia-C11])2 Solutions for S30 to S48 (idem)3 Merge both partial solutions4 Find the remaining values with the same method as before
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 17/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
7-round CF Attack
Differential solutions for S6 to S23
First, we consider the first half.S6 S7 S8
BIGMC MC
S8 S9 S10 S11 S12 S13 S14 S15 S16
BIG BIGSR SB MC SR SB MCSR MC
S16 S17 S18 S19 S20 S21 S22 S23
BIGSR SB MC SR SB MCSR
Compute partial values and differencesStop-in-the-middle algorithm where S15 is the middle264 solutions for blue and black bytes
=⇒ 2129 in time and 264 in memory
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 18/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
7-round CF Attack
Differential solutions for S30 to S47
Then, we consider the second half. S30 S31 S32
BIGMC MC
S32 S33 S34 S35 S36 S37 S38 S39' S40
BIG BIG MCSR SB MC SR SB
SR MC
S40 S41 S42 S43 S44 S45 S46 S47
BIGSR SB MC SR SB MC
SR
Compute partial values and differencesMixColumns and BigMixColumns commuteStop-in-the-middle algorithm, where S39 is the middle264 solutions for yellow and black bytes
=⇒ 2129 in time and 264 in memory
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 19/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
7-round CF Attack
Merging solutions from S23 to S30
S23 S24 S25 S26 S27 S28 S29 S30
BIG BIGSR SB MC SR SBMC SR
! " !" !# !$ !% !& !' !( !)
*+, *+,!- !* ./ !- !* ./
!- ./
!) !0 !"1 !"" !"# !"$ !"% !"& !"'
*+, *+,!- !* ./ !- !* ./
!- ./
!"' !"( !") !"0 !#1 !#" !## !#$ !#%
*+, *+,!- !* ./ !- !* ./
!- ./
!#% !#& !#' !#( !#) !#0 !$1 !$" !$#
*+, *+,!- !* ./ !- !* ./
!- ./
!$# !$$ !$% !$& !$' !$( !$) !$0 !%1
*+, *+,!- !* ./ !- !* ./
!- ./
!%1 !%" !%# !%$ !%% !%& !%' !%( !%)
*+, *+,!- !* ./ !- !* ./
!- ./
!%) !%0 !&1 !&" !&# !&$ !&% !&& !&'
*+, *+,!- !* ./ !- !* ./ *2
!- ./
Merge
Blue/black part fixed from the first half (S6 to S23)Yellow/black part fixed from the second half (S32 to S47)Find values and differences that matchConsider the SuperSBoxes separatelyMatch step-by-step in 2193 time and 2128 memory
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 20/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
7-round CF Attack
Solutions for the whole path
SolutionsUsing the method from [Schläffer-SAC10], we find solutionscompleting the part of the path without differences128-bit condition from [JeanFouque-FSE11] verifiedIn the generic case, finding such a pair of input/output costs2240 in timeOurs : 2193 in time and 2128 in memoryCan also produce compression function collisions on 6 roundswith the same complexity
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 21/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Conclusion
Conclusion I
Attack Property
Attack split in small parts/phasesEach part has complexity below generic scenarioParts are merged with complexity below the generic oneWe may even split parts into sub-parts
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 22/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Conclusion
Conclusion II
Results on the 5-round Hash Function=⇒ Collision in time 2112 and memory 285.3
Results on the 6- and 7-round Compression Function=⇒ 6R Collision in time 2193 and memory 2128
=⇒ 7R Distinguisher in time 2193 and memory 2128
Extended version on ePrint : ePrint/2011/422=⇒ 4R hash function collision attack in time 264 and
memory 264
=⇒ 6R compression function collision attack in thechosen-salt model in time 2160 and memory 2128
=⇒ 7R compression function distinguisher in the chosen-saltmodel in time 2160 and memory 2128
Thank you !
SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 23/23
Outline ECHO-256 5-round HF Attack 7-round CF Attack Conclusion
Conclusion
Conclusion II
Results on the 5-round Hash Function=⇒ Collision in time 2112 and memory 285.3
Results on the 6- and 7-round Compression Function=⇒ 6R Collision in time 2193 and memory 2128
=⇒ 7R Distinguisher in time 2193 and memory 2128
Extended version on ePrint : ePrint/2011/422=⇒ 4R hash function collision attack in time 264 and
memory 264
=⇒ 6R compression function collision attack in thechosen-salt model in time 2160 and memory 2128
=⇒ 7R compression function distinguisher in the chosen-saltmodel in time 2160 and memory 2128
Thank you !SAC’2011 – J. Jean, M. Naya-Plasencia, M. Schläffer – Improved Analysis of ECHO-256 23/23