Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures - - PowerPoint PPT Presentation

cryptanalysis of round reduced keccak using non linear
SMART_READER_LITE
LIVE PREVIEW

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures - - PowerPoint PPT Presentation

Feb 07, 2024 235 likes •752 views

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

slide-1
SLIDE 1

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures

Mahesh Sreekumar Rajasree

Center for Cybersecurity, Indian Institute of Technology Kanpur

INDOCRYPT 2019, Hyderabad

slide-2
SLIDE 2

Outline

2

Introduction Hash function Structure of KECCAK Results Our Preimage attacks Preimage attack on 2 rounds KECCAK-512 Preimage attack on 3 rounds KECCAK-384 Conclusion

slide-3
SLIDE 3

Introduction

3

◮ Cryptographic hash functions are hash functions which are resistant to preimage, collision attacks and other attacks.

slide-4
SLIDE 4

Introduction

3

◮ Cryptographic hash functions are hash functions which are resistant to preimage, collision attacks and other attacks. ◮ Practical applications include message integrity checks, digital signatures, authentication, etc.

slide-5
SLIDE 5

Introduction

3

◮ Cryptographic hash functions are hash functions which are resistant to preimage, collision attacks and other attacks. ◮ Practical applications include message integrity checks, digital signatures, authentication, etc. ◮ SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST which is based on KECCAK.

slide-6
SLIDE 6

Attacks

4

Let H be a cryptographic hash function.

slide-7
SLIDE 7

Attacks

4

Let H be a cryptographic hash function. ◮ Preimage attack: Given H(m)

slide-8
SLIDE 8

Attacks

4

Let H be a cryptographic hash function. ◮ Preimage attack: Given H(m) , find any m′ such that H(m′) = H(m).

slide-9
SLIDE 9

Attacks

4

Let H be a cryptographic hash function. ◮ Preimage attack: Given H(m) , find any m′ such that H(m′) = H(m). ◮ Collision attack: Find any m = m′

slide-10
SLIDE 10

Attacks

4

Let H be a cryptographic hash function. ◮ Preimage attack: Given H(m) , find any m′ such that H(m′) = H(m). ◮ Collision attack: Find any m = m′ , such that H(m) = H(m′).

slide-11
SLIDE 11

Sponge Construction

5

Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

slide-12
SLIDE 12

Sponge Construction

5

Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

pad: padding function (10*1)

slide-13
SLIDE 13

Sponge Construction

5

Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

pad: padding function (10*1) f: KECCAK-f permutation

slide-14
SLIDE 14

State

6 Figure: State

Source: https://keccak.team/figures.html

slide-15
SLIDE 15

KECCAK-p permutation

7

◮ Block size: 5 × 5 × 64 = 1600.

slide-16
SLIDE 16

KECCAK-p permutation

7

◮ Block size: 5 × 5 × 64 = 1600. ◮ c = 2ℓ, r = 1600 − c where ℓ ∈ {224, 256, 384, 512}.

slide-17
SLIDE 17

KECCAK-p permutation

7

◮ Block size: 5 × 5 × 64 = 1600. ◮ c = 2ℓ, r = 1600 − c where ℓ ∈ {224, 256, 384, 512}. ◮ Number of rounds: In each round there are five Step mappings (θ, ρ, π, χ, ι).

slide-18
SLIDE 18

Description of θ

8

S′[x, y, z] = S[x, y, z]⊕P[(x+1) mod 5][(z−1) mod 64]⊕P[(x−1) mod 5][z] where P[x][z] = 4

i=0 S[x, i, z]

Figure: θ

Source: https://keccak.team/figures.html

slide-19
SLIDE 19

Description of ρ

9 Figure: ρ

Source: https://keccak.team/figures.html

slide-20
SLIDE 20

Description of π

10 Figure: π

Source: https://keccak.team/figures.html

slide-21
SLIDE 21

Description of χ and ι

11

◮ χ: Only non-linear function

slide-22
SLIDE 22

Description of χ and ι

11

◮ χ: Only non-linear function S′[x, y, z] = S[x, y, z] ⊕ ((S[(x + 1) mod 5, y, z] ⊕ 1)· S[(x + 2) mod 5, y, z])

slide-23
SLIDE 23

Description of χ and ι

11

◮ χ: Only non-linear function S′[x, y, z] = S[x, y, z] ⊕ ((S[(x + 1) mod 5, y, z] ⊕ 1)· S[(x + 2) mod 5, y, z]) ◮ ι: S′[0, 0] = S[0, 0] ⊕ RCi where RCi is a constant which depends on i where i is the round number.

slide-24
SLIDE 24

Recap

12

Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

slide-25
SLIDE 25

Results

13

Rounds Instances Our Results Previous Results 2 384 2113 2129[Guo et al., 2016] 512 2321 2384[Guo et al., 2016] 3 384 2321 2322[Guo et al., 2016] 512 2475 2482[Guo et al., 2016] 4 384 2371 2378[Morawiecki et al., 2013]

Table: Summary of preimage attacks

slide-26
SLIDE 26

Preimage attack

14

  • 1. If all input bits are variables, then the output of KECCAK

is a non-linear polynomial.

slide-27
SLIDE 27

Preimage attack

14

  • 1. If all input bits are variables, then the output of KECCAK

is a non-linear polynomial.

  • 2. This is due to χ function.
slide-28
SLIDE 28

Preimage attack

14

  • 1. If all input bits are variables, then the output of KECCAK

is a non-linear polynomial.

  • 2. This is due to χ function.
  • 3. To avoid this, we will equate one of the terms in the

product to some constant.

slide-29
SLIDE 29

Preimage attack

14

  • 1. If all input bits are variables, then the output of KECCAK

is a non-linear polynomial.

  • 2. This is due to χ function.
  • 3. To avoid this, we will equate one of the terms in the

product to some constant.

  • 4. θ must also be controlled to avoid diffusion.
slide-30
SLIDE 30

Preimage attack

14

  • 1. If all input bits are variables, then the output of KECCAK

is a non-linear polynomial.

  • 2. This is due to χ function.
  • 3. To avoid this, we will equate one of the terms in the

product to some constant.

  • 4. θ must also be controlled to avoid diffusion.
  • 5. Make sure that the number of equations are not more

than the number of variables.

slide-31
SLIDE 31

Preimage attack on 2 rounds KECCAK-512

15

(1)

θ

− → (2)

π◦ρ

− − − → (3)

ι ◦ χ

(6)

π◦ρ

← − − − (5)

θ

← − (4)

Figure: Preimage attack on 2-rounds KECCAK-512

slide-32
SLIDE 32

Preimage attack on 2 rounds KECCAK-512

16

(7)

χ−1◦ι−1

← − − − − − − − (8)

= = 1 = constant = linear = quadratic

Figure: Preimage attack on 2-rounds KECCAK-512

slide-33
SLIDE 33

Preimage attack on 2 rounds KECCAK-512

17

◮ Number of variables = 6 × 64 = 384.

slide-34
SLIDE 34

Preimage attack on 2 rounds KECCAK-512

17

◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192.

slide-35
SLIDE 35

Preimage attack on 2 rounds KECCAK-512

17

◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192. ◮ One equation for padding.

slide-36
SLIDE 36

Preimage attack on 2 rounds KECCAK-512

17

◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192. ◮ One equation for padding. ◮ Number of equations between message variable and hash bits = 3 ∗ 64 − 1 = 191.

slide-37
SLIDE 37

Preimage attack on 2 rounds KECCAK-512

17

◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192. ◮ One equation for padding. ◮ Number of equations between message variable and hash bits = 3 ∗ 64 − 1 = 191. ◮ Complexity 2512−191 = 2321.

slide-38
SLIDE 38

Preimage attack on 3 rounds KECCAK-384

18

1 1

(2)

3R

← − − (1)

= = 1 = constant = linear = quadratic

XOR 2nd mes- sage block 1 c2 1 c3 c1 1 1

(3)

π◦ρ◦θ

− − − − − →

1 c2 c3 1 1 c1 1

(4)

χ

− → (5)

Figure: Preimage attack on 3-rounds KECCAK-384

slide-39
SLIDE 39

Preimage attack on 3 rounds KECCAK-384

19

θ ◦ ι

(8)

ι◦χ

← − − − (7)

π◦ρ

← − − − (6)

θ

(9) = (10)

χ−1◦ι−1

← − − − − − − − −

ρ−1◦π−1

(11)

Figure: Preimage attack on 3-rounds KECCAK-384

slide-40
SLIDE 40

Preimage attack on 3 rounds KECCAK-384

20

  • 1. Number of variables = 6 × 64 = 384.
slide-41
SLIDE 41

Preimage attack on 3 rounds KECCAK-384

20

  • 1. Number of variables = 6 × 64 = 384.
  • 2. Number of equations for first θ = 2 × 64 = 128.
slide-42
SLIDE 42

Preimage attack on 3 rounds KECCAK-384

20

  • 1. Number of variables = 6 × 64 = 384.
  • 2. Number of equations for first θ = 2 × 64 = 128.
  • 3. Number of equations for second θ = 3 × 64 = 192.
slide-43
SLIDE 43

Preimage attack on 3 rounds KECCAK-384

20

  • 1. Number of variables = 6 × 64 = 384.
  • 2. Number of equations for first θ = 2 × 64 = 128.
  • 3. Number of equations for second θ = 3 × 64 = 192.
  • 4. One equation for padding.
slide-44
SLIDE 44

Preimage attack on 3 rounds KECCAK-384

20

  • 1. Number of variables = 6 × 64 = 384.
  • 2. Number of equations for first θ = 2 × 64 = 128.
  • 3. Number of equations for second θ = 3 × 64 = 192.
  • 4. One equation for padding.
  • 5. Number of equations between message variables and hash

bits = 63.

slide-45
SLIDE 45

Preimage attack on 3 rounds KECCAK-384

20

  • 1. Number of variables = 6 × 64 = 384.
  • 2. Number of equations for first θ = 2 × 64 = 128.
  • 3. Number of equations for second θ = 3 × 64 = 192.
  • 4. One equation for padding.
  • 5. Number of equations between message variables and hash

bits = 63.

  • 6. Complexity 2384−63 = 2321.
slide-46
SLIDE 46

Conclusion

21

◮ We have presented the best theoretical preimage attack for round-reduced KECCAK.

slide-47
SLIDE 47

Conclusion

21

◮ We have presented the best theoretical preimage attack for round-reduced KECCAK. ◮ Would be interesting to see whether non-linear structures along with other techniques can be used to find better preimage attacks for higher rounds.

slide-48
SLIDE 48

Thank You

slide-49
SLIDE 49

Questions?

slide-50
SLIDE 50

References

24

Guo, J., Liu, M., and Song, L. (2016). Linear structures: applications to cryptanalysis of round-reduced keccak. In International Conference on the Theory and Application

  • f Cryptology and Information Security, pages 249–274.

Springer. Morawiecki, P., Pieprzyk, J., and Srebrny, M. (2013). Rotational cryptanalysis of round-reduced keccak. In International Workshop on Fast Software Encryption, pages 241–262. Springer.