The Rebound Attack: Cryptanalysis of Reduced Whirlpool and ... · Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool

Technical University of Denmark - Graz University of Technology

The Rebound Attack:Cryptanalysis of Reduced Whirlpool

and Grøstl

Florian Mendel1, Christian Rechberger1, Martin Schlaffer1,Søren S. Thomsen2

1Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria

2Department of Mathematics, Technical University of DenmarkMatematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark

FSE 2009 1


Overview

1 Motivation

2 The Rebound Attack

3 The Whirlpool Hash Function

4 Rebound Attack on Whirlpool

5 Rebound Attack on Grøstl

6 Results and Conclusions

FSE 2009 2


Overview

1 Motivation






FSE 2009 3


Motivation

NIST SHA-3 Competitiondiversity of designsdiversity of cryptanalytic tools needed

Many AES based designshow to analyze them?we contribute with new attack to this toolbox

Applications?idea of attack is widely applicableWhirlpool, Grøstl

FSE 2009 4


Overview

1 Motivation






FSE 2009 5


Collision Attacks on Hash Functions

iterated hash function h(M, IV )

compression function f : Ht = f (Mt , Ht−1), H0 = IVdifferent types of collision attacks:(1) collision:

fixed IVf (Mt , IV ) = f (M ′t , IV ), Mt 6= M ′t

(2) semi-free-start collision:random chaining inputf (Mt , Ht−1) = f (M ′t , Ht−1), Mt 6= M ′t

(3) free-start collision:random differences and values of chaining inputf (Mt , Ht−1) = f (M ′t , H ′t−1), Mt 6= M ′t , Ht−1 6= H ′t−1

⇒ increasing degrees of freedom

FSE 2009 6


The Rebound Attack

Ein

Efw

Ebw

inboundoutbound outbound

Applies to block-cipher and permutation based designs:

E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw

Inbound phase:efficient meet-in-the-middle phase in Einaided by available degrees of freedomcalled match-in-the-middle

Outbound phase:probabilistic part in Ebw and Efwrepeat inbound phase if needed

FSE 2009 7


Comparison with other Strategies

inside-out approach:

meet-in-the-middle attack:

rebound attack:

Mt ,H

t-1H

t

Mt ,H

t-1H

t

Mt ,H

t-1H

t


FSE 2009 8


Overview

1 Motivation






FSE 2009 9


The Whirlpool Hash Function

+

Blo

ck c

iphe

r W

Mt

Ht-1

HtState

Update SB SC MR AK

KeySchedule SB SC MR AC

Designed by Barretto and Rijmensubmitted to NESSIE in 2000standardized by ISO/IEC 10118-3:2003

512-bit hash value and using 512-bit message blocksBlock-cipher based (AES)

Miyaguchi-Preneel mode with conservative key-schedule

No attacks in 8 years of existence

FSE 2009 10


The Whirlpool Round Transformations

SubBytes ShiftColumns MixRows AddRoundKeyKi

S(x)

+

10 roundsAES like round transformations on two 8× 8 states

ki = AC ◦MR ◦ SC ◦ SB ri = AK ◦MR ◦ SC ◦ SB

K0

K1

K2

K3

K4

K5

K6

K7

K8

K9

K10

Ht-1

S0

S1

S2

S3

S4

S5

S6

S7

S8

S9

S10

Mt

Ht

r1

r2

r3

r4

r5

r6

r7

r8

r9

r10

SBSCMRAK

SBSCMRAC

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC

SBSCMRAC

SBSCMRAK

SBSCMRAC

SBSCMRAK

SBSCMRAC

SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC

SBSCMRAK

SBSCMRAC

+SBSCMRAK

SBSCMRAC

FSE 2009 11


Wide-Trails in Whirlpool

K0

K1

K2

K3

K4

K5

K6

K7

K8

K9

K10

Ht-1

S0

S1

S2

S3

S4

S5

S6

S7

S8

S9

S10

Mt

Ht

r1

r2

r3

r4

r5

r6

r7

r8

r9

r10

SBSCMRAK

SBSCMRAC

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC

SBSCMRAC

SBSCMRAK

SBSCMRAC

SBSCMRAK

SBSCMRAC

SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC

SBSCMRAK

SBSCMRAC

+SBSCMRAK

SBSCMRAC

Minimum number of active S-boxes81 for any 4-round trail: (8− 64− 8− 1)maximum differential probability: (2−5)

81= 2−405

Collision attack on Whirlpool: < 2256

use “message modification” techniques (first rounds)a full active state remains: probability (2−5)

64= 2−320

FSE 2009 12


Overview

1 Motivation






FSE 2009 13


The Rebound Attack on Whirlpool

K0

K1

K2

K3

K4

Ht-1

S0

S1

S2

S3

S4

Mt

Ht

r1

r2

r3

r4

SBSCMRAK

SBSCMRAC

SBSCMRAK

+SBSCMRAK

SBSCMRAK

SBSCMRAC

SBSCMRAC


SBSCMRAC

Inbound phase:(1) start with differences in round r2 and r3(2) match-in-the-middle at S-box using values of the state

Outbound phase:(3) probabilistic propagation in MixRows of r1 and r4(4) match one-byte difference of feed-forward

FSE 2009 14


Inbound Phase

K2

S2SC S

2S3SB S

3MR

r2

r3

r3

Step 1 Step 2 Step 1

MRAK SB SC

MR

(1) Start with differences in state SSC2 and SMR

3linear propagation to full active state of S2 and SSB

3deterministic due to MDS property of MixRows

(2) Match-in-the-middle at S-box of round r3differential match for single S-box: probability ∼ 2−1

for each match we get 2-8 possible values for the S-box⇒ with a complexity of 264, we get 264 matches

FSE 2009 15


Outbound Phase

K1

K2

K3

K4

S0

S1

S2

S3

S4

Mt

Ht

r1

r2

r3

r4

Step 4 Step 3 Step 3 Step 4

SBSCMRAK

SBSCMRAK

+SBSCMRAK

SBSCMRAK

(3) Propagate through MixRows of r1 and r4using truncated differences (active bytes: 8→ 1)probability: 2−56 in each direction

(4) Match difference in one active byte of feed-forward

⇒ complexity for 4 round collision of Whirlpool: 2120

FSE 2009 16


Extension to more RoundsK2

K3

S2SB S

2MR S

2S3SB S

3S4SB S

4MR

r2

r2

r3

r3

r4

r4

Step 1 Step 1 Step 2b Step 2a Step 2a Step 1

SCMR

AK SBSCMR

SCMRAK

SB SCMR

Semi-free-start collision on 5 roundsextend inbound phase using degrees of freedom in keysame complexity (2120) as in 4 round attack

K1

K2

K3

K4

K5

K6

K7

S0

S1

S2

S3

S4

S5

S6

S7

S7.5

HtM

t

r1

r2

r3

r4

r5

r6

r7

r7.5

Step 4 Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 3 Step 4

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

SBSCMRAK

+SBSC +

SBSCMRAK

Semi-free-start near-collision on 7.5 roundsextend outbound phase with probability one (MixRows)near-collision on 52 of 64 bytes (2128)

FSE 2009 17


Overview

1 Motivation






FSE 2009 18


SHA-3 Candidate Grøstl

P512

AC SB ShB MB

Q512

AC SB ShB MB

+

Mt

Ht-1 H

t

+

Compression function of Grøstlpermutation based, no key-schedule inputsAES based round transformations (AC, SB, ShB, MB)

Grøstl-256: 8× 8 state for P512 and Q5128× 8 state for P512 and Q51210 rounds each

FSE 2009 19


Rebound Attack on Grøstl-256

Q0

Q1

Q2

Q3

Q4

Q5

Q6

Mt

Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3Step 4 Step 4

P0

P1

P2

P3

P4

P5

P6

Ht-1

Ht

r1

r2

r3

r4

r5

r6

+ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

ACSBShBMB

+

ACSBShBMB

Semi-free-start collision on 6 rounds of Grøstl-256less degrees of freedom (no key schedule input)maximize using differential trails in both permutationsbirthday match on input and output differences

Complexity of attack: ∼ 2120

FSE 2009 20


Overview

1 Motivation






FSE 2009 21


Results

Summary of attacks:

hashrounds

computational memorytype

function complexity requirements

Whirlpool4.5/10 2120 216 collision5.5/10 2120 216 semi-free-start collision7.5/10 2128 216 semi-free-start near-collision

Grøstl-256 6/10 2120 270 semi-free-start collision

Improvements?still degrees of freedom in key schedule left (Whirlpool)8.5/10 rounds attack on Maelstrom1 (1024 bit key)8.5/12 rounds of SHA-3 candidate Cheetah-512

1Gazzoni Filho, Barreto, Rijmen (SBSeg 2006)FSE 2009 22


Conclusions

The Rebound Attackinbound phase for expensive partsoutbound phase for “cheaper” parts

Contribute to hash function cryptanalysis toolboximproved analysis of AES based designsbetter attacks for more degrees of freedomsimple designs allow simple analysis

Future workapply to other design strategiesanalyze SHA-3 candidatesgive bounds for simple AES based designs

FSE 2009 23

Documents

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and ... · Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool