Algebraic properties of SHA-3 and notable cryptanalysis results

Algebraic properties of SHA-3 and notable cryptanalysisresults

Christina Boura

University of Versailles, France

ICMC 2015, January 9, 2014

1 / 51

Cryptographic Hash Functions

H : {0, 1}∗ → {0, 1}n

m H h = H(m) = 0111011000101 . . . 01︸︷︷︸

n bits

Security properties:

Preimage resistance (Complexity of the generic attack: 2n)

Second-preimage resistance (Complexity of the generic attack: 2n)

Collision resistance (Complexity of the generic attack: 2n/2)

Applications: password protection, digital signatures, key derivation,random number generation,...

2 / 51

Hash functions before 2004

MD4, MD5, SHA-0, SHA-1, SHA-2 ...

Merkle-Damgård was normal way to build hashes.

MD4 was known to be broken by Dobbertin, but still saw occasionaluse

MD5 was known to have theoretical weaknesses from DenBoer/Bosselaers and Dobbertin, but still in wide use.

SHA-0 was known to have weaknesses and wasn’t used.

SHA-1 was thought to be very strong.

SHA-2 looked like the future, with security up to 256 bits.

John Kelsey, NIST, August 2013

3 / 51

The NIST SHA-3 competition

Devastating attacks against MD5, SHA-1,... by Wang et al. (2004)

Lack of confidence in SHA-2 (standard).

NIST launches in 2008 a public competition

for defining a new standard.

64 submissions (October 2008)

51 first-round candidates

14 second-round candidates (July 2009)

5 finalists (December 2010)

Winner of the competition (October 2012): Keccak

SHA-3 standard: Draft FIPS PUB 202 (May 2014)

4 / 51

Outline

1 Keccak’s specifications

2 Algebraic properties of Keccak-f

3 Collision attacks against reduced-round Keccak

5 / 51

Keccak’s specifications

Outline




6 / 51


The Keccak team

Guido Bertoni, Joan Daemen, Michaël Peeters,

Gilles Van Assche

STMicroelectronics, NXP Semiconductors

7 / 51


The sponge construction

[Bertoni, Daemen, Peeters, Van Assche ’08]

f f f f f0

0

r

c

. . .

. . .

m1 m2 mk

absorbing squeezing

z1 z2 z3

Variable input length, variable output lengthFixed-length permutation (or transformation)Two parameters: bitrate r, capacity c, with

r + c = b,

where b is the size of the permutation.8 / 51


Security Claims

Traditionally, for fixed-length output functions, resistance to hashfunction attacks is expressed by means of the output length n.

Sponges are variable-length output constructions.

Define the strength of the construction, in function of somesize parameters.

9 / 51


The sponge construction with capacity c

Use the parameter c as an indicator for the security of the construction(flat sponge claim).

No generic attacks below 2c/2

(Unless easier generically).

Collision: min(2c/2, 2n/2)

Preimage: min(2c/2, 2n)

Second Preimage: min(2c/2, 2n)

Performance and security trade-off.

10 / 51


The SHA-3 standard

Based on the sponge construction with a fixed permutation of 1600 bits,called Keccak-f .

Four SHA3 fixed-length hash functions: SHA3-{224, 256, 384, 512},with c = 2n.

→ Remplacements for SHA2

Two SHA3 XOFs (Extendable-Output Functions):

SHAKE-256SHAKE-512

(SHAKE = SHA + KEccak)

11 / 51


The Keccak-f permutation

Keccak-f Permutation

1600-bit state, seen as a3-dimensional 5× 5× 64 matrix

24 rounds

R = ι ◦ χ ◦ π ◦ ρ ◦ θ

Linear layer: L = π ◦ ρ ◦ θ.

Nonlinear layer: 320 parallelapplicationsof a 5× 5 S-box χ

12 / 51


The θ transformation

a[x][y][z]← a[x][y][z] +

4∑

y′=0

a[x− 1][y′][z] +

4∑

y′=0

a[x+1][y′][z − 1]

13 / 51


The ρ transformation

x = 3 x = 4 x = 0 x = 1 x = 2

y = 2 25 39 3 10 43

y = 1 55 20 36 44 6

y = 0 28 27 0 1 62

y = 4 56 14 18 2 61

y = 3 21 8 41 45 15

14 / 51


The π transformation

15 / 51


The χ transformation

320 parallel applications of a 5× 5 bit Sbox.

χ(x0, x1, x2, x3, x4) = (x0 + x2 + x1x2,

x1 + x3 + x2x3,

x2 + x4 + x3x4,

x3 + x0 + x4x0,

x4 + x1 + x0x1).

Can be implemented by using an XOR, an AND and a NOT operation.

16 / 51


The ι transformation

XOR of round-dependent constant to lane in origin

Break symmetry: Without ι ...

... the round mapping would be symmetric

rotational cryptanalysis?

... all rounds would be the same

slide attacks?

...simple fixed points: (000 and 111)

17 / 51


The reasons for choosing Keccak

High security margin

Simple and elegant design

Flexibility in choosing parameters

Good performance in software (not as good as SHA2, Skein orBLAKE) but still more than acceptable

Excellent performance in hardware (better than all the othercandidates and better than SHA2!)

Built-in authenticated-encryption mode

Different design than SHA2

18 / 51

Algebraic properties of Keccak-f

Outline




19 / 51


Random behaviour of cryptographic primitives

Cryptographic primitives should behave like random functions:

A distinguishing property may be the starting point for some attacks.

Security proofs of many constructions assume random building blocks.

e.g. hermetic sponge strategy: the underlying permutation f of asponge construction should not have any structural distinguishers.

Does Keccak-f behave like a random permutation of F16002 ?

20 / 51


Algebraic degree of a vectorial function F : Fn2 → F

m2

Example:

F (x0, x1, x2, x3, x4) = (x0 + x2 + x4 + x1x2 + x1x4 + x3x4 + x1x3x4,

x0 + x1 + x3 + x0x2 + x0x4 + x2x3 + x0x2x4,

x1 + x2 + x4 + x0x1 + x1x3 + x3x4 + x0x1x3,

x0 + x2 + x3 + x0x4 + x1x2 + x2x4 + x1x2x4,

x1 + x3 + x4 + x0x1 + x0x3 + x2x3 + x0x2x3).

21 / 51


Algebraic degree of a vectorial function F : Fn2 → F

m2

Example:

F (x0, x1, x2, x3, x4) = (x0 + x2 + x4 + x1x2 + x1x4 + x3x4 + x1x3x4,

x0 + x1 + x3 + x0x2 + x0x4 + x2x3 + x0x2x4,

x1 + x2 + x4 + x0x1 + x1x3 + x3x4 + x0x1x3,

x0 + x2 + x3 + x0x4 + x1x2 + x2x4 + x1x2x4,

x1 + x3 + x4 + x0x1 + x0x3 + x2x3 + x0x2x3).

The algebraic degree of F is 3.

21 / 51


Some attacks exploiting a low algebraic degree

Algebraic attacks

Write the equations defining the primitive and try to solve thepolynomial system.

Cube attacks [Dinur-Shamir 08]

The factor of some monomial depends linearly on the key bits.

Higher-order differential attacks [Lai 94] [Knudsen 94]

Let F : Fn2 → Fn

2 . For every subspace V with dimV > degF ,

DV F (x) =⊕

v∈V

F (x+ v) = 0, for every x ∈ Fn2 .

22 / 51


Zero-Sums

For block ciphers (known-key attack) [Knudsen - Rijmen 07]

For hash functions [Aumasson - Meier 09, Boura - Canteaut 10]

Definition Let F : Fn2 → Fn

2 .A zero-sum for F of size K is a subset {x1, . . . , xK} ⊂ Fn

2 such that

K⊕

i=1

xi =

K⊕

i=1

F (xi) = 0.

Proposition. [Boura-Canteaut 10] For any function F , there exists at leasta zero-sum of size ≤ 5.

23 / 51


Zero-Sum Partitions

Definition Let P be a permutation from Fn2 → Fn

2 .A zero-sum partition for P of size K = 2k is a collection of 2n−k

disjoint zero-sums.

24 / 51


Exploiting a low algebraic degree

P = Rr ◦ · · · ◦R1.

Let Fr−t = Rr ◦ · · · ◦Rt+1 and Gt = R−11 ◦ · · · ◦R

−1t .

Let V ⊂ Fn2 with dimV > max(degFr−t,degGt).

P

Gt Fr−t

V + aXa P (Xa)

Xa = {Gt(z + a), z ∈ V },is a zero-sum partition of Fn

2 of size 2dimV for P .

∑

x∈Xa

x =∑

z∈V

Gt(z + a) = DV Gt(a) = 0

∑

x∈Xa

P (x) =∑

z∈V

Fr−t(z + a) = DV Fr−t(a) = 0

25 / 51


Trivial bounds

24 rounds of a permutation R of degree 2 over F16002

→ after r rounds, deg(Rr) ≤ 2r

What is usually expected

a full degree after 11 rounds

existence of zero-sum partitions up to 16 rounds of size 21025:

deg(R10) ≤ 210and deg((R−1)6) ≤ 36

V + a

R16

R10R−6

R16(Xa)Xa

26 / 51


A new bound exploiting the structure of the non-linear layer

χ χ χ χ

Linear Layer

χ χ χ χ

Linear Layer

χ χ χ χ

Linear Layer

27 / 51


χ χ χ χ

Find the maximal degree of the product πof d output coodinates.

δk = maximal degree of the product of k coordinates of χ.

28 / 51


χ χ χ χ



Exemple (d = 13)

deg(π) ≤ 2δ5 + δ3.

28 / 51


χ χ χ χ



Exemple (d = 13)

deg(π) ≤ δ5 + 2δ3 + δ2.

28 / 51


χ χ χ χ



deg(π) ≤ max(x1,x2,x3,x4)

(δ1x1 + δ2x2 + δ3x3 + δ4x4)

avec x1 + 2x2 + 3x3 + 4x4 = d.

28 / 51


Bound on δk


For χ:k 1 2 3 4 5

δk 2 4 5 5 5

29 / 51


Bound on δk


For χ:k 1 2 3 4 5

δk 2 4 5 5 5

Proposition. If S is a permutation of Fn2 ,

δk = n if and only if k = n

29 / 51


Bound on δk


For χ:k 1 2 3 4 5

δk 2 4 4 4 5

Proposition. If S is a permutation of Fn2 ,

δk = n if and only if k = n

29 / 51


A bound on the degree of SPN constructions

[Boura–Canteaut–De Cannière FSE 2011]

Theorem: Let F = (S, . . . , S) a permutation of Fn2 with S defined over

Fn0

2 . Then

deg(G ◦ F ) ≤ n−n− deg(G)

γ(S),

where

γ(S) = max1≤k≤n0−1

n0 − k

n0 − δk(S).

30 / 51


Application to Keccak-f

γ(χ) = max1≤k≤4

5− k

5− δk(χ).

k 1 2 3 4 5

δk(χ) 2 4 4 4 5

γ(χ) = max(4

3,3

1,2

1,1

1

)

= 3

We deduce

deg(Rr) ≤ 1600−1600 − deg(Rr−1)

3

31 / 51


r deg(Rr)

1 22 43 84 165 326 647 1288 2569 51210 102411 1408

12 1536

13 1578

14 1592

15 1597

16 1599

32 / 51


Application to the inverse of Keccak-f

γ(χ−1) = max1≤k≤4

5− k

5− δk(χ−1).

k 1 2 3 4 5

δk(χ−1) 3 4 4 4 5

Observation [Duan-Lai 11]

δ2(χ−1) = 3

33 / 51


Influence of the degree of the inverse

Question: Is δ2(χ−1) related to deg(χ)?

34 / 51


Influence of the degree of the inverse

Question: Is δ2(χ−1) related to deg(χ)?

Theorem.[Boura-Canteaut 13] Let F be a permutation on Fn2 .

Then, for any integers k and ℓ,

δℓ(F ) < n− k if and only if δk(F−1) < n− ℓ.

Case of Keccak: For F = χ−1, k = 1 and ℓ = 2

δ1(χ) = 2 < 5− 2 implies δ2(χ−1) < 5− 1 = 4.

34 / 51


A new bound

Theorem: Let F = (S, . . . , S) a permutation of Fn2 with S defined over

Fn0

2 . Then

deg(G ◦ F ) ≤ n−n− deg(G)

γ(S),

where

γ(S) = max1≤k≤n0−1

n0 − k

n0 − δk(S).

We can prove that

γ(S) ≤ max( n0 − 1

n0 − degS,n0

2− 1,deg(S−1)

)

For the inverse of Keccak-f :

γ(χ−1) ≤ 2

35 / 51


r deg(R−r) deg(R−r)(improv.)

1 3 32 9 93 27 274 81 815 243 2436 729 7297 1309 1164

8 1503 1382

9 1567 1491

10 1589 1545

11 1596 1572

12 1598 1586

13 1599 1593

14 1599 1596

15 1599 1598

16 1599 1599

deg(Rr) ≤ 1600−1600 − deg(Rr−1)

2

36 / 51


Zero-sum partitions for full Keccak-f

deg(R12) ≤ 1536

deg((R−1)11) ≤ 1572

Xa = {(R−1)11(a+ z), z ∈ V },

is a zero-sum partition of size 21575 for 24 rounds of Keccak-f .

37 / 51


Consequences?

The security proof still holds if the inner permutation has a given

structural property involving more than 2c+1

2 input-output pairs.

The existence of the zero-sum partitions pushed the authors toincrease the number of rounds from 18 to 24.

38 / 51

Collision attacks against reduced-round Keccak

Outline




39 / 51


Summary of cryptanalysis results

Target Attack Type Output Variant CF Call Reference

Keccak-f Distinguisher all 24 rounds 21575 [Boura et al. and Duan-Lai 2011]

Keccak-f Distinguisher all 8 rounds 2491.47 [Duc et al. 2012]

Keccak-f Distinguisher all 6 rounds 211 [Kuila et al. 2014]

Hash function Distinguisher 224, 256 4 rounds 225 [Naya-Plasencia et al. 2011]

Hash function Collision 224, 256 2 rounds Example [Naya-Plasencia et al. 2011]

Hash Function 2nd preimage 224, 256 2 rounds Example [Naya-Plasencia et al. 2011]

Hash Function 2nd preimage 512 6 rounds 2506 [Bernstein 2010]

Hash Function 2nd preimage 512 7 rounds 2507 [Bernstein 2010]

Hash Function 2nd preimage 512 8 rounds 2511.5 [Bernstein 2010]

Hash Function Collision 224, 256 4 rounds Example [Dinur et al. 2012]

Hash Function Collision 256 5 rounds 2115 [Dinur et al. 2013]

Hash Function Collision 384 3 rounds Example [Dinur et al. 2013]



40 / 51




Keccak-f Distinguisher all 24 rounds 21575 [Boura et al. 2010]






Hash function 2nd preimage 512 6 rounds 2506 [Bernstein 2010]


Hash function 2nd preimage 512 8 rounds 2511.5 [Bernstein 2010]






40 / 51




Keccak-f Distinguisher all 24 rounds 21575 [Boura et al. 2010]








Hash function 2nd preimage 512 8 rounds 2511.5 [Bernstein 2010]






40 / 51


Practical collision attacks against reduced-round Keccak

Practical Analysis of Reduced-Round Keccak,M. Naya-Plasencia, A. Röck and W. Meier, Indocrypt 2011.

Exploit the Column Parity Kernel (CP-Kernel) leading to 2-round lowHamming weight characteristicsPractical collisions and second-preimage for 2-round Keccak-{224, 256}

New attacks on Keccak-224 and Keccak-256,I. Dinur, O. Dunkelman and A. Shamir, FSE 2012.

Extend the previous 2-round CP-Kernel characteristics.Exploit that χ is of degree 2.Practical collisions for 4-round Keccak-{224, 256}.

41 / 51


Differential cryptanalysis

Introduced by Biham and Shamir in 1990.

Based on the notion of differentials (δin → δout).

Let F : Fn2 → Fn

2 :

F

F

x

x+ δin

y

x+ δout

δin δout

DPF (δin → δout) =|{(x, x′) : x⊕ x′ = δin and F (x)⊕ F (x′) = δout}|

2n

42 / 51


Differential characteristics

Let F = f r.

b

b

b

b

b b

b b

b bδin = δ0

δ1

δ2 δ3 δ4 = δout

DPF (δ0 → · · · → δr) =

r−1∏

i=0

DP f (δi → δi+1).

Differential characteristics of high probability can be used asdistinguishers, lead to key-recovery attacks (in block ciphers), collisionattacks (in hash functions).

43 / 51


Low Hamming-weight characteristics

Crucial transformations : θ, and χ

Properties of θ: Column Parity Kernel (Keccak team) : For states inwhich all columns have even parity, θ is the identity.

Lowest Hamming weight for states in CP-kernel: 2.

44 / 51






44 / 51






Properties of χ: 1-bit differences stay the same with probability 2−2.

44 / 51


Searching for double kernels

Image from [Naya-Plasencia, Röck, Meier, 2011]

45 / 51


Collisions on 2-round Keccak-256

Initial differences in the message part.

2-round 4-slice characteristics of weight 16.→ probability 2−32

Output difference δout not in the hash part.

46 / 51


Practical Collisions for 4-round Keccak-{224,256}

[Dinur, Dunkelman, Shamir 2012]

b b

High probability

differential characteristic

δin → δout

2 rounds

Characteristic

extended

backwards

1 roundb

Target

difference

algorithm

1 roundb

Use the two-round low Hamming weight differential characteristicsfound in [Naya-Plasencia, Röck, Meier 2011].

Place them after the second round and extend one round backwards(target difference).

Find message pairs having the target difference after one round ofKeccak-f .

47 / 51


Extending one round backwards: The θ effect

Inverse of θ:

Applying θ−1 to a difference with a single active bit results in adifference with about half of the bits active.

48 / 51


Link to the target difference

0 Target

differen

ce

Contro

lable

part

49 / 51


The target difference algorithm

Two problems to deal with:

1 The target difference is extended backwards with very low probability.

2 Initial state has many bits fixed to a certain value.

But:

Many available degrees of freedom

Method: χ function of degree 2, so when differentiating once has to dealwith a linear system.

50 / 51


Conclusions

Efforts of the cryptographic community concentrated on the securityanalysis of SHA-3.

Analyze equally the security of keyed versions (recent cube attacks)and of other constructions based on Keccak-f .

Analyse Keccak with smaller permutation sizes (use in constraineddevices).

SHA-3 seems to have a (very) big security margin.

51 / 51


Conclusions

Efforts of the cryptographic community concentrated on the securityanalysis of SHA-3.

Analyze equally the security of keyed versions (recent cube attacks)and of other constructions based on Keccak-f .

Analyse Keccak with smaller permutation sizes (use in constraineddevices).

SHA-3 seems to have a (very) big security margin.

Thank you for your attention!

51 / 51

Documents

Algebraic properties of SHA-3 and notable cryptanalysis results