cryptograhic hash function edon r fileagenda 1 cryptographic hash algorithm competition 2...
Post on 27-Aug-2019
216 Views
Preview:
TRANSCRIPT
Cryptograhic Hash Function Edon-RMathematical Background, Structure, and Cryptanalysis
Dennis Hoppe
Bauhaus-University Weimar
6th May 2009
Dennis Hoppe (BUW) Edon-R 6th May 2009 1 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 2 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 3 / 44
Cryptographic Hash Algorithm Competition
NIST has opened a public competition to develop a newcryptographic hash algorithm, which converts a variablelength message into a short “message digest” that can beused for digital signatures, message authentication andother applications. The competition is NIST’s response torecent advances in the cryptanalysis of hash functions. Thenew hash algorithm will be called “SHA-3” [..]
Among the SHA-3 submissions is Edon-R, a hash function based onthe theory of quasigroups (Gligoroski et al., 2008b)
Dennis Hoppe (BUW) Edon-R 6th May 2009 4 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 5 / 44
Mathematical Background
Definition (Quasigroup)
The magma (Q,�), Q = {q1, q2, . . . , qr}, |Q| = r is called a finitequasigroup of order r if, when any two elements a, b ∈ Q are given, theequations a� x = b and y � a = b each have exactly one solution.
Definition (Latin Square)
The multiplication table of a finitequasigroup of order r is a latinsquare, i.e., an r × r-array with theproperty that each row and eachcolumn is a permutation of Q.
Dennis Hoppe (BUW) Edon-R 6th May 2009 6 / 44
Mathematical Background – cont’d
Definition (Quasigroup e-transformation)
A quasigroup e-transformation of a string A = (a0, . . . , an−1)is defined by the function ek : Q×Qn → Qn, where k ∈ Q,ek(A) = B = (b0, . . . , bn−1), and
bi :={k ∗ a0 if i = 0bi−1 ∗ ai if 1 ≤ i ≤ n− 1
k
a0
b0 b1 bn-2 bn-1
an-1an-2a1 . . .
. . .
Dennis Hoppe (BUW) Edon-R 6th May 2009 7 / 44
Mathematical Background – cont’d
Definition (Single reverse quasigroup string transformation)
A quasigroup single reverse string transformation is the functionR1 : Qn → Qn defined as
R1(A) = B = eA,n(A) = ea0(ea1(. . . (ean−2(ean−1(A))))
Dennis Hoppe (BUW) Edon-R 6th May 2009 8 / 44
Mathematical Background – cont’d
Consider the quasigroup (Q,�) ofmodular subtraction, a, b ∈ Q,a� b = a+ r − b mod r.Let Q = {0, 1, 2, 3} and let thequasigroup be given by thefollowing multiplication scheme:
� 0 1 2 3
0 0 3 2 11 1 0 3 22 2 1 0 33 3 2 1 0
Consider the string A = 0 1 2 3 0.The transformation results inR1(A) = eA,5(A) = 0 0 1 0 3.
R1 0 1 2 3 0 = A
0 0 3 1 2 23 3 0 3 1 32 3 3 0 3 01 2 3 3 0 00 2 3 0 0 0 = R1(A)
Dennis Hoppe (BUW) Edon-R 6th May 2009 9 / 44
Mathematical Background – cont’d
Theorem (One-wayness of R1)
If the quasigroup (Q,�) is non-associative and non-commutative(shapeless), then the complexity of finding the preimage for thefunction R1 : Qn → Qn of order r is O(rb
n3c).
R1 ? ? · · · · · · ?
? ? ? · · · · · · x(1)n−1
? ? ? · · · · · · x(2)n−1
......
.... . . .
...
? ? ? x(n−2)2 · · · x
(n−2)n−1
? ? x(n−1)1 · · · · · · x
(n−1)n−1
? b(n)0 b
(n)1 · · · · · · b
(n)n−1
Let B = (b0, . . . , bn−1)be given, find a stringA = (a0, . . . , an−1),such that B = R1(A).
Dennis Hoppe (BUW) Edon-R 6th May 2009 10 / 44
Mathematical Background – cont’d
Theorem (One-wayness of R1)
If the quasigroup (Q,�) is non-associative and non-commutative(shapeless), then the complexity of finding the preimage for thefunction R1 : Qn → Qn of order r is O(rb
n3c).
R1 a0 ? · · · · · · an−1
an−1 x(1)0 ? · · · x
(1)n−2 x
(1)n−1
? ? ? · · · x(2)n−2 x
(2)n−1
......
.... . . .
...
? ? x(n−2)1 x
(n−2)2 · · · x
(n−2)n−1
? x(n−1)0 x
(n−1)1 · · · · · · x
(n−1)n−1
a0 b(n)0 b
(n)1 · · · · · · b
(n)n−1
Let B = (b0, . . . , bn−1)be given, find a stringA = (a0, . . . , an−1),such that B = R1(A).
Dennis Hoppe (BUW) Edon-R 6th May 2009 10 / 44
Mathematical Background – cont’d
Theorem (One-wayness of R1)
If the quasigroup (Q,�) is non-associative and non-commutative(shapeless), then the complexity of finding the preimage for thefunction R1 : Qn → Qn of order r is O(rb
n3c).
R1 a0 a1 · · · an−2 an−1
an−1 x(1)0 x
(1)1 · · · x
(1)n−2 x
(1)n−1
an−2 x(2)0 x
(2)1 · · · x
(2)n−2 x
(2)n−1
......
.... . . .
...
? x(n−2)0 x
(n−2)1 x
(n−2)2 · · · x
(n−2)n−1
a1 x(n−1)0 x
(n−1)1 · · · · · · x
(n−1)n−1
a0 b(n)0 b
(n)1 · · · · · · b
(n)n−1
Let B = (b0, . . . , bn−1)be given, find a stringA = (a0, . . . , an−1),such that B = R1(A).
Dennis Hoppe (BUW) Edon-R 6th May 2009 10 / 44
Mathematical Background – cont’d
Problems
Quasigroups of a low order r are easily invertible
Usage of general quasigroups requires to store itscorresponding latin square, i.e, r2 elements
Not feasable for large quasigroups of order r ≥ 2256
Dennis Hoppe (BUW) Edon-R 6th May 2009 11 / 44
Mathematical Background – cont’d
Definition (Isotopic quasigroups)
Two quasigroups Q and R are said to be isotopic, if there exists a triple(α, β, γ) of maps from Q to R, such that α(x)β(y) = γ(xy) and eachof the three maps is a bijection. In terms of a latin square, an isotopy isgiven by a permutation of rows and columns.
x� y = π1(π2(x)� π3(y))
Consequences
Efficient method to construct new quasigroups
Gives the possibility to compute the result of the multiplicationwithout a table. Allows to construct large quasigroups
Security additionally depends on the difficulty of inverting themappings
Dennis Hoppe (BUW) Edon-R 6th May 2009 12 / 44
Mathematical Background – cont’d
Properties of quasigroups to ensure one-wayness
Non-associative
Non-commutative
Non-linear quasigroup operation, e.g. +Order r ≥ 2256
Then, inversion of the quasigroup operation is hard.
Dennis Hoppe (BUW) Edon-R 6th May 2009 13 / 44
Mathematical Background – cont’d
Application of quasigroups in cryptology
Vigenere Cipher
A fix of the MD4 Family of Hash Functions (Gligoroski et al., 2005)
Error-Correction Coding (Gligoroski et al., 2006a)
Stream Cipher Edon80 (Gligoroski et al., 2008a)
Edon-R (Gligoroski et al., 2006b)
Dennis Hoppe (BUW) Edon-R 6th May 2009 14 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 15 / 44
Description of Edon-R
Cryptographich hash function
Supports output size of n-bits, n ∈ {224, 256, 384, 512}32-bit version supports n ∈ {224, 256}64-bit version supports n ∈ {384, 512}
Based on low primitive operations like addition modulo 232/264,wordwise rotation and bitwise exclusive-OR
Very fast hash computation
Conjectured security claims according to NIST standards
Collisions resistance: O(2n2 )
Preimage resistance: O(2n)Second-preimage resistance: O(2n−k)
Dennis Hoppe (BUW) Edon-R 6th May 2009 16 / 44
Description of Edon-R – cont’d
Input: Message M of length l bits and the size n of the HashOutput: A Hash of the message M of size n bit
1 Preprocessing
(a) Pad the message M (MD-Strengthening)(b) Parse the padded message into 2n-bit blocks, M (1),. . ., M (N)
(c) Set the initial value of the douple pipe to P (0)
2 Hash computation
(a) FOR i = 1 to N DO P (i) = R(P (i−1),M (i));3 The resulting hash are the least significant n-bits from P (N)
(Truncation)
Dennis Hoppe (BUW) Edon-R 6th May 2009 17 / 44
Description of Edon-R – cont’d
R R R. . .
. . .
T
P (0) P (1)
M (0) M (1) M (N-1)
P (N-1) P (N)
P (N)0
Wide-Pipe Strategy (Lucks, 2004)
Internal chaining values have a size independent of the final hash
“Widen” the internal pipe from n bit to w ≥ 2n bit
Use two compression functions
It is unlikely to find internal collisions
Takes pairs of input values
P (i) ≡ (P (i)0 , P
(i)1 )
M (i) ≡ (M (i)0 ,M
(i)1 )
Dennis Hoppe (BUW) Edon-R 6th May 2009 18 / 44
Description of Edon-R – cont’d
Edon-R one-way function RR : Q4
q → Q2q , q = 256, 512
R(P (i)0 , P
(i)1 ,M
(i)0 ,M
(i)1 ) = (P (i+1)
0 , P(i+1)1 )
M
P
P
0
0(0)
1(0)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(1)P0
(1)
R
P(0)
M(1) (2) (N)
Dennis Hoppe (BUW) Edon-R 6th May 2009 19 / 44
Description of Edon-R – cont’d
Edon-R one-way function RR : Q4
q → Q2q , q = 256, 512
R(P (i)0 , P
(i)1 ,M
(i)0 ,M
(i)1 ) = (P (i+1)
0 , P(i+1)1 )
M
P
P
0
0(0)
1(0)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)P(0)
M(1) (N)
Dennis Hoppe (BUW) Edon-R 6th May 2009 19 / 44
Description of Edon-R – cont’d
Edon-R one-way function RR : Q4
q → Q2q , q = 256, 512
R(P (i)0 , P
(i)1 ,M
(i)0 ,M
(i)1 ) = (P (i+1)
0 , P(i+1)1 )
M
P
P
0
0(0)
1(0)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)P(0)
M(1) (2) (N)
Dennis Hoppe (BUW) Edon-R 6th May 2009 19 / 44
Description of Edon-R – cont’d
Edon-R one-way function RR : Q4
q → Q2q , q = 256, 512
R(P (i)0 , P
(i)1 ,M
(i)0 ,M
(i)1 ) = (P (i+1)
0 , P(i+1)1 )
M
P
P
0
0(0)
1(0)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
M
P
P
0
0(1)
1(1)
(2)
M 1(2)
M 1(2)M 0
(2)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)P(0)
M(1)
. . .
. . .
. . .
M(2)
M
P
P
0
0(N-1)
1(N-1)
(N)
M 1(N)
M 1(N)M 0
(N)
P1(N)P0
(N)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
M(N)
Dennis Hoppe (BUW) Edon-R 6th May 2009 19 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 20 / 44
Design Properties of Edon-R
Quasigroups of order 2256 and 2512
Construct quasigroups (Q,�) as isotopes of ((Z2w)8,+8), w = 32, 64Define three permutations πi : Zq
2 → Zq2 for 1 ≤ i ≤ 3, such that
X � Y ≡ π1(π2(X) +8 π3(Y ))
for all X,Y ∈ (Z2w)8
Define these operations as bitwise operations on w-bit values
1 Addition modulo 2w
2 Wordwise-rotation to the left for k positions3 Bitwise exclusive-OR
Dennis Hoppe (BUW) Edon-R 6th May 2009 21 / 44
Design Properties of Edon-R – cont’d
Dennis Hoppe (BUW) Edon-R 6th May 2009 22 / 44
Design Properties of Edon-R – cont’d
Dennis Hoppe (BUW) Edon-R 6th May 2009 22 / 44
Design Properties of Edon-R – cont’d
Dennis Hoppe (BUW) Edon-R 6th May 2009 22 / 44
Design Properties of Edon-R – cont’d
Dennis Hoppe (BUW) Edon-R 6th May 2009 23 / 44
Design Properties of Edon-R – cont’d
Dennis Hoppe (BUW) Edon-R 6th May 2009 23 / 44
Design Properties of Edon-R – cont’d
Dennis Hoppe (BUW) Edon-R 6th May 2009 23 / 44
Design Properties of Edon-R – cont’d
Dennis Hoppe (BUW) Edon-R 6th May 2009 24 / 44
Design Properties of Edon-R – cont’d
Remarks
L1,1 and L2,1 transform the values by addition modulo 2w
L1,2 and L2,2 transform the values by XORing
π2 and π3 add diffusion and non-linear mixing separately on both X,Y
π1 introduces additional diffusion by means of a simple rotation
Overall design structure is a shapeless quasigroup of order r ≥ 2256
Dennis Hoppe (BUW) Edon-R 6th May 2009 25 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 26 / 44
Security Claims
Resistance against generic length extension attacks andmulticollision attacks due to the Wide-Pipe Design
Avoiding fixed points for the compression function RA fixed point is characterized by R(X) = XA cryptanalyst found: R(0) = 0Designers added constants to the transformations
Iterating Edon-R backwards is infeasibleInfeasability of solving non-linear quasigroup equationsFinding preimages and second-preimages: O(2n)
Finding free start collisions is infeasable
Provable resistance to differential cryptanalysis
Edon-R can be securely used with the HMAC
Any possible successful attack on SHA-2 family ofhash functions is unlikely to be applicable to Edon-R
Dennis Hoppe (BUW) Edon-R 6th May 2009 27 / 44
Security Claims
Resistance against generic length extension attacks andmulticollision attacks due to the Wide-Pipe Design
Avoiding fixed points for the compression function RA fixed point is characterized by R(X) = XA cryptanalyst found: R(0) = 0Designers added constants to the transformations
Iterating Edon-R backwards is infeasibleInfeasability of solving non-linear quasigroup equationsFinding preimages and second-preimages: O(2n)
Finding free start collisions is infeasable
Provable resistance to differential cryptanalysis
Edon-R can be securely used with the HMAC
Any possible successful attack on SHA-2 family ofhash functions is unlikely to be applicable to Edon-R
Dennis Hoppe (BUW) Edon-R 6th May 2009 27 / 44
Security Claims – cont’d
Worked out vulnerabilities
Multicollisions, multipreimages and fixed points(Klima, 2008)
Free start collisions, preimages and second-preimages(Khovratovich et al., 2008)
Key recovery attack on secret-prefix Edon-R(Leurent, 2009)
Dennis Hoppe (BUW) Edon-R 6th May 2009 28 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 29 / 44
Key Recovery Attack against Secret-prefix Edon-R
Results (Leurent, 2009)
Using Edon-R as a MAC with the secret prefix method is unsafe
It is possible to recover the secret key k with only two queries to thehash function
Attack takes an effort of O(25w), w = 32, 64 → O(25n/8)Author believes, it is a strong weakness in the design of Edon-R
Dennis Hoppe (BUW) Edon-R 6th May 2009 30 / 44
Key Recovery Attack against Secret-prefix Edon-R
What is a MAC?
Message Authentication Code
Used to authenticate messages by means of a secret key k
Hash functions can be used to with an additional secret key toproduce a MAC, such that
H : {0, 1}k × {0, 1}∗ → {0, 1}n
Construction (intuitive)
1 Prefix Method: MACk(M) = H(k||M)2 Postfix Method: MACk(M) = H(M ||k)3 Envelope Method: MACk(M) = H(k||M ||k)
Dennis Hoppe (BUW) Edon-R 6th May 2009 31 / 44
Key Recovery Attack against Secret-prefix Edon-R
What is a MAC?
Message Authentication Code
Used to authenticate messages by means of a secret key k
Hash functions can be used to with an additional secret key toproduce a MAC, such that
H : {0, 1}k × {0, 1}∗ → {0, 1}n
Construction (intuitive)
1 Prefix Method: MACk(M) = H(k||M)2 Postfix Method: MACk(M) = H(M ||k)3 Envelope Method: MACk(M) = H(k||M ||k)
Dennis Hoppe (BUW) Edon-R 6th May 2009 31 / 44
Key Recovery Attack against Secret-prefix Edon-R
Secret-prefix construction of Edon-RIn general, the prefix method to construct a MAC is weak,because length extension attacks are possible
Due to the wide-pipe design of Edon-R the secret-prefixconstruction is secure:
MACk = Edon-R(k||M)
If the key k is padded to a full block, k is equivalent to (P (0)0 , P
(0)1 )
The aim is to recover (P (0)0 , P
(0)1 ) by means of two queries
Dennis Hoppe (BUW) Edon-R 6th May 2009 32 / 44
Key Recovery Attack against Secret-prefix Edon-RKey Recovery (Two queries are sufficient)
1 Edon-R(M)
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (1)
P (1)1
0 TP (1)
1
2 Edon-R(M ′), such that M ′ = Mpad||{0, 1}n
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (2)
P (2)1
0 TP (2)
1
RP (1)
M (1)
M (1)1
0
P (1)1
0
Dennis Hoppe (BUW) Edon-R 6th May 2009 33 / 44
Key Recovery Attack against Secret-prefix Edon-RKey Recovery (Two queries are sufficient)
1 Edon-R(M)
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (1)
P (1)1
0 TP (1)
1
2 Edon-R(M ′), such that M ′ = Mpad||{0, 1}n
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (2)
P (2)1
0 TP (2)
1
RP (1)
M (1)
M (1)1
0
P (1)1
0
Dennis Hoppe (BUW) Edon-R 6th May 2009 33 / 44
Key Recovery Attack against Secret-prefix Edon-RKey Recovery (Two queries are sufficient)
1 Edon-R(M)
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (1)
P (1)1
0 TP (1)
1
2 Edon-R(M ′), such that M ′ = Mpad||{0, 1}n
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (2)
P (2)1
0 TP (2)
1
RP (1)
M (1)
M (1)1
0
P (1)1
0
Dennis Hoppe (BUW) Edon-R 6th May 2009 33 / 44
Key Recovery Attack against Secret-prefix Edon-RKey Recovery (Two queries are sufficient)
1 Edon-R(M)
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (1)
P (1)1
0 TP (1)
1
2 Edon-R(M ′), such that M ′ = Mpad||{0, 1}n
RP (0)
M (0)
M (0)1
0
P (0)1
0 P (2)
P (2)1
0 TP (2)
1
RP (1)
M (1)
M (1)1
0
P (1)1
0
Dennis Hoppe (BUW) Edon-R 6th May 2009 33 / 44
Key Recovery Attack against Secret-prefix Edon-R
Let’s have a closer look at the compression functions
Second(!) query
M
P
P
0
0(1)
1(1)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
First query
M
P
P
0
0(0)
1(0)
(0)
M 1(0)
M 1(0)M 0
(0)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
Dennis Hoppe (BUW) Edon-R 6th May 2009 34 / 44
Key Recovery Attack against Secret-prefix Edon-R
Let’s have a closer look at the compression functions
Second(!) query
M
P
P
0
0(1)
1(1)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
First query
M
P
P
0
0(0)
1(0)
(0)
M 1(0)
M 1(0)M 0
(0)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
Dennis Hoppe (BUW) Edon-R 6th May 2009 34 / 44
Key Recovery Attack against Secret-prefix Edon-R
Let’s have a closer look at the compression functions
Second(!) query
M
P
P
0
0(1)
1(1)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
First query
M
P
P
0
0(0)
1(0)
(0)
M 1(0)
M 1(0)M 0
(0)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
Dennis Hoppe (BUW) Edon-R 6th May 2009 34 / 44
Key Recovery Attack against Secret-prefix Edon-R
Let’s have a closer look at the compression functions
Second(!) query
M
P
P
0
0(1)
1(1)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
First query
M
P
P
0
0(0)
1(0)
(0)
M 1(0)
M 1(0)M 0
(0)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
Dennis Hoppe (BUW) Edon-R 6th May 2009 34 / 44
Key Recovery Attack against Secret-prefix Edon-R
Let’s have a closer look at the compression functions
Second(!) query
M
P
P
0
0(1)
1(1)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
First query
M
P
P
0
0(0)
1(0)
(0)
M 1(0)
M 1(0)M 0
(0)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
Dennis Hoppe (BUW) Edon-R 6th May 2009 34 / 44
Key Recovery Attack against Secret-prefix Edon-R
Let’s have a closer look at the compression functions
Second(!) query
M
P
P
0
0(1)
1(1)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
First query
M
P
P
0
0(0)
1(0)
(0)
M 1(0)
M 1(0)M 0
(0)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
Dennis Hoppe (BUW) Edon-R 6th May 2009 34 / 44
Key Recovery Attack against Secret-prefix Edon-R
Let’s have a closer look at the compression functions
Second(!) query
M
P
P
0
0(1)
1(1)
(1)
M 1(1)
M 1(1)M 0
(1)
P1(2)P0
(2)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
First query
M
P
P
0
0(0)
1(0)
(0)
M 1(0)
M 1(0)M 0
(0)
P1(1)P0
(1)
R
X0(1) X1
(1)
X0(2) X1
(2)
X0(3) X1
(3)
Dennis Hoppe (BUW) Edon-R 6th May 2009 34 / 44
Key Recovery Attack against Secret-prefix Edon-RCompute X
(3)0
P(2)1 = P
(2)0 �X(3)
1 = (M (1)0 �X(3)
0 )� (X(2)1 �X(3)
0 ) (1)
Remember the quasigroup operation of Edon-R
X � Y ≡ π1(π2(X) +8 π3(Y ))
We can rewrite equation (1)
P(2)1 =
(π1(π2(M
(1)0 )) +8 π1(π3(X
(3)0 ))
)�(π1(π2(X
(2)1 )) +8 π1(π3(X
(3)0 ))
)U = π1(π3(X
(3)0 )) → U is unknown; recover X
(3)0 from U
C0 = π1(π2(M(1)0 )) → known constant
C1 = π1(π3(X(2)1 )) → known constant
P = (U + C0)� (U + C1)
Dennis Hoppe (BUW) Edon-R 6th May 2009 35 / 44
Key Recovery Attack against Secret-prefix Edon-R
Construct four block-designs (v, k, λ) from L1 and L2
1 (v, k, λ) = (8, 5, λ), λ ∈ {2, 3, 4} → L1,1, L2,1
2 (v, k, λ) = (8, 3, λ), λ ∈ {0, 1, 2} → L1,2, L2,2
L1 =
26666666664
0 7 1 3 2 4 6 54 1 7 6 3 0 5 27 0 4 2 5 3 1 61 4 0 5 6 2 7 32 3 6 7 1 5 0 45 2 3 1 7 6 4 03 6 5 0 4 7 2 16 5 2 4 0 1 3 7
37777777775=
»L1,1L1,2
–L2 =
26666666664
0 4 2 3 1 6 5 77 6 3 2 5 4 1 05 3 1 6 0 2 7 41 0 5 4 3 7 2 62 1 0 7 4 5 6 33 5 7 0 6 1 4 24 7 6 1 2 0 3 56 2 4 5 7 3 0 1
37777777775=
»L2,1L2,2
–
Each block-design characterizes an incidence matrix, i.e.(0, 1)-matrix, A1,A2, A3, and A4
bA1 =
26666666664
1 1 1 0 1 0 0 11 1 0 1 1 0 0 11 1 0 0 1 0 1 10 0 1 1 0 1 1 10 1 1 1 0 1 1 01 0 1 1 1 1 0 01 1 0 0 0 1 1 10 0 1 1 1 1 1 0
37777777775and so on . . .
Dennis Hoppe (BUW) Edon-R 6th May 2009 36 / 44
Key Recovery Attack against Secret-prefix Edon-R
Define the former introduced permutations π2, π3 in an algebraic form
π2(X) = A2(ROTLr(A1(X))
π3(Y ) = A4(ROTLr(A3(Y ))
It follows, that
P(2)1 = X � Y ≡ π1(π2(X) +8 π3(Y ))
= (U + C0)� (U + C1)
= π1
(A2(ROTLr(A1(U + C0)) + A4(ROTLr(A3(U + C1))
)Let P
(2)1 ∈ Z8
232 → (P (2)1 )[i] = (X � Y )[i], 0 ≤ i ≤ 7
Let U ∈ Z8232 , U =
∑7i=0 αiUi with αi ∈ Z232
Dennis Hoppe (BUW) Edon-R 6th May 2009 37 / 44
Key Recovery Attack against Secret-prefix Edon-R
Define three vectors Ui, 0 ≤ i ≤ 2, in the kernels of some submatricesof A1 and A3, such that
A1 ∗ U0 =[∗ ∗ 0 0 ∗ 0 0 ∗
]A1 ∗ U1 =
[∗ ∗ 0 0 ∗ 0 0 ∗
]A1 ∗ U2 =
[0 0 0 0 ∗ 0 ∗ ∗
]...
Laurent showed, that the vectors Ui, regardless of αi or βi, do not effect thefollowing output words
((X + α0U0)� (Y + β0U0))⊕ (X � Y ) =[∗ ∗ ∗ ∗ ∗ 0 0 0
]((X + α1U1)� (Y + β1U1))⊕ (X � Y ) =
[∗ ∗ ∗ ∗ ∗ 0 ∗ 0
]((X + α2U2)� (Y + β2U2))⊕ (X � Y ) =
[∗ ∗ ∗ ∗ ∗ ∗ ∗ 0
]Dennis Hoppe (BUW) Edon-R 6th May 2009 38 / 44
Key Recovery Attack against Secret-prefix Edon-R
Observations
1 α0 has no effect on (P (2)1 )[5,6,7] = (X � Y )[5,6,7]
2 α1 has no effect on (P (2)1 )[5,7] = (X � Y )[5,7]
3 α2 has no effect on (P (2)1 )[7] = (X � Y )[7]
Let X ′ = X + αiUi and let Y ′ = Y + βiUi
(X ′ � Y ′)[5,6,7] = (X � Y )[5,6,7]
(X ′ � Y ′)[5,7] = (X � Y )[5,7]
(X ′ � Y ′)[7] = (X � Y )[7]
Dennis Hoppe (BUW) Edon-R 6th May 2009 39 / 44
Key Recovery Attack against Secret-prefix Edon-R
Algorithm: Recover U = π1(π3(X(3)0 ))
Input: C0, C1, P(2)1
Output: U ∈ Z8232
forall α3, . . . , α7 ∈ Z232 do
U ←∑7
i=3 αiUi, V ← (U + C0)� (U + C1);
if V [7] = P [7] thenforall α2 ∈ Z232 do
U ←∑7
i=2 αiUi, V ← (U + C0)� (U + C1);
if V [5] = P [5] thenforall α1 ∈ Z232 do
U ←∑7
i=1 αiUi, V ← (U + C0)� (U + C1);
if V [6] = P [6] thenforall α0 ∈ Z232 do
U ←∑7
i=0 αiUi, V ← (U + C0)� (U + C1);
if V = P thenreturn U
Dennis Hoppe (BUW) Edon-R 6th May 2009 40 / 44
Key Recovery Attack against Secret-prefix Edon-R
Summary
Attack applies two queries to the hash function to gain additionalinformation about a chaining value
Solve the equation P(2)1 = (U + C0)� (U + C1) for
U = π1(π3(X(3)0 )) to recover X
(3)0 by inverting both permutations
Algorithm takes O(25w), w ∈ {32, 64}, to compute U
Use X(3)0 to find P
(1)0 in the second compression function
Apply P(1)0 in the first compression function
Then, it is possible to invert the first compression function completely
to recover the secret key (P (0)0 , P
(0)1 )
Dennis Hoppe (BUW) Edon-R 6th May 2009 41 / 44
Agenda
1 Cryptographic Hash Algorithm Competition
2 Mathematical Preliminaries
3 Edon-RDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Edon-RKey-Recovery Attack
5 Conclusions
Dennis Hoppe (BUW) Edon-R 6th May 2009 42 / 44
Conclusions
Edon-R is a SHA-3 candidate
Edon-R could not stand its strong security claims
Multi-collisions foundFixed points foundPreimages foundKey Recovery attack reveals insecure use as a MAC
Cryptanalysts exploit the (weak) compression function based onquasigroup operations, even so the designers claimed that iteratingthe compression function is infeasable
Cryptanalysts exploit the wide-pipe design to fix one part of thechaining value or message block
Nevertheless, the design of Edon-R is straight forward and the hashfunction is among the fastest in a perfomance comparison (twice asfast as SHA-2 family) (Fleischmann et al., 2009)
Dennis Hoppe (BUW) Edon-R 6th May 2009 43 / 44
Referenzen
[Fleischmann et al. 2009] Fleischmann, E ; Forler, C ; Gorski, M: Classification of the SHA-3 Candidates. In:uni-weimar.de (2009). http://www.uni-weimar.de/cms/fileadmin/medien/medsicherheit/Research/SHA3/
Classification_of_the_SHA-3_Candidates.pdf
[Gligoroski et al. 2006a] Gligoroski, D ; Knapskog, S ; Andova, S: Cryptcoding-Encryption and Error-Correction Coding in aSingle Step. In: International Conference on Security and Management (2006), Jan.http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.130.6216&rep=rep1&type=pdf
[Gligoroski et al. 2005] Gligoroski, D ; Markovski, S ; Knapskog, S: A Fix of the MD4 Family of HashFunctions-Quasigroup Fold. In: NIST Cryptographic Hash Workshop (2005), Jan.http://www.itl.nist.gov/div893/csrc/groups/ST/hash/documents/Gligoroski_MD4Fix.pdf
[Gligoroski et al. 2008a] Gligoroski, D ; Markovski, S ; Knapskog, S: The Stream Cipher Edon80. In: LECTURE NOTESIN COMPUTER SCIENCE (2008), Jan. http://www.springerlink.com/index/q7860850832n2080.pdf
[Gligoroski et al. 2006b] Gligoroski, D ; Markovski, S ; Kocarev, L: Edon–R, an infinite family of cryptographic hashfunctions. In: Second NIST Cryptographic Hash Workshop (2006), Jan.http://csrc.ncsl.nist.gov/groups/ST/hash/documents/GLIGOROSKI_EdonR-ver06.pdf
[Gligoroski et al. 2008b] Gligoroski, Danilo ; Odegard, Rune S. ; Mihova, Marija: Cryptographic Hash Function EDON-R.(2008), Oct, S. 1–79
[Khovratovich et al. 2008] Khovratovich, Dmitry ; Nikolic, Ivica ; Weinmann, Ralf-Philipp: Cryptanalysis of Edon-R.(2008), Nov, 1–7. http://ehash.iaik.tugraz.at/uploads/7/74/Edon.pdf
[Klima 2008] Klima, Vlastimil: Multicollisions of EDON-R hash function and other observations. (2008), Nov, 1–11.http://cryptography.hyperlink.cz/BMW/EDONR_analysis_vk.pdf
[Leurent 2009] Leurent, Gaetan: Key Recovery Attack against Secret-prefix Edon-R5. In: Cryptology ePrint Archive, Report2009/135 (2009), Mar, 1–7. http://eprint.iacr.org/2009/135.pdf
[Lucks 2004] Lucks, Stefan: Design principles for iterated hash functions. In: IACR eprint archive (2004), Jan.http://mirror.cr.yp.to/eprint.iacr.org/2004/253.pdf
Dennis Hoppe (BUW) Edon-R 6th May 2009 44 / 44
top related