cryptograhic hash function edon r fileagenda 1 cryptographic hash algorithm competition 2...

Cryptograhic Hash Function Edon-RMathematical Background, Structure, and Cryptanalysis

Dennis Hoppe

Bauhaus-University Weimar

6th May 2009

Dennis Hoppe (BUW) Edon-R 6th May 2009 1 / 44

Agenda

1 Cryptographic Hash Algorithm Competition

2 Mathematical Preliminaries

3 Edon-RDescriptionDesign PropertiesSecurity Claims

4 Cryptanalysis of Edon-RKey-Recovery Attack

5 Conclusions


Agenda





5 Conclusions


Cryptographic Hash Algorithm Competition

NIST has opened a public competition to develop a newcryptographic hash algorithm, which converts a variablelength message into a short “message digest” that can beused for digital signatures, message authentication andother applications. The competition is NIST’s response torecent advances in the cryptanalysis of hash functions. Thenew hash algorithm will be called “SHA-3” [..]

Among the SHA-3 submissions is Edon-R, a hash function based onthe theory of quasigroups (Gligoroski et al., 2008b)


Agenda





5 Conclusions


Mathematical Background

Definition (Quasigroup)

The magma (Q,�), Q = {q1, q2, . . . , qr}, |Q| = r is called a finitequasigroup of order r if, when any two elements a, b ∈ Q are given, theequations a� x = b and y � a = b each have exactly one solution.

Definition (Latin Square)

The multiplication table of a finitequasigroup of order r is a latinsquare, i.e., an r × r-array with theproperty that each row and eachcolumn is a permutation of Q.


Mathematical Background – cont’d

Definition (Quasigroup e-transformation)

A quasigroup e-transformation of a string A = (a0, . . . , an−1)is defined by the function ek : Q×Qn → Qn, where k ∈ Q,ek(A) = B = (b0, . . . , bn−1), and

bi :={k ∗ a0 if i = 0bi−1 ∗ ai if 1 ≤ i ≤ n− 1

k

a0

b0 b1 bn-2 bn-1

an-1an-2a1 . . .

. . .



Definition (Single reverse quasigroup string transformation)

A quasigroup single reverse string transformation is the functionR1 : Qn → Qn defined as

R1(A) = B = eA,n(A) = ea0(ea1(. . . (ean−2(ean−1(A))))



Consider the quasigroup (Q,�) ofmodular subtraction, a, b ∈ Q,a� b = a+ r − b mod r.Let Q = {0, 1, 2, 3} and let thequasigroup be given by thefollowing multiplication scheme:

� 0 1 2 3

0 0 3 2 11 1 0 3 22 2 1 0 33 3 2 1 0

Consider the string A = 0 1 2 3 0.The transformation results inR1(A) = eA,5(A) = 0 0 1 0 3.

R1 0 1 2 3 0 = A

0 0 3 1 2 23 3 0 3 1 32 3 3 0 3 01 2 3 3 0 00 2 3 0 0 0 = R1(A)



Theorem (One-wayness of R1)

If the quasigroup (Q,�) is non-associative and non-commutative(shapeless), then the complexity of finding the preimage for thefunction R1 : Qn → Qn of order r is O(rb

n3c).

R1 ? ? · · · · · · ?

? ? ? · · · · · · x(1)n−1

? ? ? · · · · · · x(2)n−1

......

.... . . .

...

? ? ? x(n−2)2 · · · x

(n−2)n−1

? ? x(n−1)1 · · · · · · x

(n−1)n−1

? b(n)0 b

(n)1 · · · · · · b

(n)n−1

Let B = (b0, . . . , bn−1)be given, find a stringA = (a0, . . . , an−1),such that B = R1(A).





n3c).

R1 a0 ? · · · · · · an−1

an−1 x(1)0 ? · · · x

(1)n−2 x

(1)n−1

? ? ? · · · x(2)n−2 x

(2)n−1

......

.... . . .

...

? ? x(n−2)1 x

(n−2)2 · · · x

(n−2)n−1

? x(n−1)0 x

(n−1)1 · · · · · · x

(n−1)n−1

a0 b(n)0 b

(n)1 · · · · · · b

(n)n−1






n3c).

R1 a0 a1 · · · an−2 an−1

an−1 x(1)0 x

(1)1 · · · x

(1)n−2 x

(1)n−1

an−2 x(2)0 x

(2)1 · · · x

(2)n−2 x

(2)n−1

......

.... . . .

...

? x(n−2)0 x

(n−2)1 x

(n−2)2 · · · x

(n−2)n−1

a1 x(n−1)0 x

(n−1)1 · · · · · · x

(n−1)n−1

a0 b(n)0 b

(n)1 · · · · · · b

(n)n−1




Problems

Quasigroups of a low order r are easily invertible

Usage of general quasigroups requires to store itscorresponding latin square, i.e, r2 elements

Not feasable for large quasigroups of order r ≥ 2256



Definition (Isotopic quasigroups)

Two quasigroups Q and R are said to be isotopic, if there exists a triple(α, β, γ) of maps from Q to R, such that α(x)β(y) = γ(xy) and eachof the three maps is a bijection. In terms of a latin square, an isotopy isgiven by a permutation of rows and columns.

x� y = π1(π2(x)� π3(y))

Consequences

Efficient method to construct new quasigroups

Gives the possibility to compute the result of the multiplicationwithout a table. Allows to construct large quasigroups

Security additionally depends on the difficulty of inverting themappings



Properties of quasigroups to ensure one-wayness

Non-associative

Non-commutative

Non-linear quasigroup operation, e.g. +Order r ≥ 2256

Then, inversion of the quasigroup operation is hard.



Application of quasigroups in cryptology

Vigenere Cipher

A fix of the MD4 Family of Hash Functions (Gligoroski et al., 2005)

Error-Correction Coding (Gligoroski et al., 2006a)

Stream Cipher Edon80 (Gligoroski et al., 2008a)

Edon-R (Gligoroski et al., 2006b)


Agenda





5 Conclusions


Description of Edon-R

Cryptographich hash function

Supports output size of n-bits, n ∈ {224, 256, 384, 512}32-bit version supports n ∈ {224, 256}64-bit version supports n ∈ {384, 512}

Based on low primitive operations like addition modulo 232/264,wordwise rotation and bitwise exclusive-OR

Very fast hash computation

Conjectured security claims according to NIST standards

Collisions resistance: O(2n2 )

Preimage resistance: O(2n)Second-preimage resistance: O(2n−k)


Description of Edon-R – cont’d

Input: Message M of length l bits and the size n of the HashOutput: A Hash of the message M of size n bit

1 Preprocessing

(a) Pad the message M (MD-Strengthening)(b) Parse the padded message into 2n-bit blocks, M (1),. . ., M (N)

(c) Set the initial value of the douple pipe to P (0)

2 Hash computation

(a) FOR i = 1 to N DO P (i) = R(P (i−1),M (i));3 The resulting hash are the least significant n-bits from P (N)

(Truncation)



R R R. . .

. . .

T

P (0) P (1)

M (0) M (1) M (N-1)

P (N-1) P (N)

P (N)0

Wide-Pipe Strategy (Lucks, 2004)

Internal chaining values have a size independent of the final hash

“Widen” the internal pipe from n bit to w ≥ 2n bit

Use two compression functions

It is unlikely to find internal collisions

Takes pairs of input values

P (i) ≡ (P (i)0 , P

(i)1 )

M (i) ≡ (M (i)0 ,M

(i)1 )



Edon-R one-way function RR : Q4

q → Q2q , q = 256, 512

R(P (i)0 , P

(i)1 ,M

(i)0 ,M

(i)1 ) = (P (i+1)

0 , P(i+1)1 )

M

P

P

0

0(0)

1(0)

(1)

M 1(1)

M 1(1)M 0

(1)

P1(1)P0

(1)

R

P(0)

M(1) (2) (N)




q → Q2q , q = 256, 512

R(P (i)0 , P

(i)1 ,M

(i)0 ,M

(i)1 ) = (P (i+1)

0 , P(i+1)1 )

M

P

P

0

0(0)

1(0)

(1)

M 1(1)

M 1(1)M 0

(1)

P1(1)P0

(1)

R

X0(1) X1

(1)

X0(2) X1

(2)

X0(3) X1

(3)P(0)

M(1) (N)




q → Q2q , q = 256, 512

R(P (i)0 , P

(i)1 ,M

(i)0 ,M

(i)1 ) = (P (i+1)

0 , P(i+1)1 )

M

P

P

0

0(0)

1(0)

(1)

M 1(1)

M 1(1)M 0

(1)

P1(1)P0

(1)

R

X0(1) X1

(1)

X0(2) X1

(2)

X0(3) X1

(3)P(0)

M(1) (2) (N)




q → Q2q , q = 256, 512

R(P (i)0 , P

(i)1 ,M

(i)0 ,M

(i)1 ) = (P (i+1)

0 , P(i+1)1 )

M

P

P

0

0(0)

1(0)

(1)

M 1(1)

M 1(1)M 0

(1)

P1(1)P0

(1)

R

X0(1) X1

(1)

X0(2) X1

(2)

X0(3) X1

(3)

M

P

P

0

0(1)

1(1)

(2)

M 1(2)

M 1(2)M 0

(2)

P1(2)P0

(2)

R

X0(1) X1

(1)

X0(2) X1

(2)

X0(3) X1

(3)P(0)

M(1)

. . .

. . .

. . .

M(2)

M

P

P

0

0(N-1)

1(N-1)

(N)

M 1(N)

M 1(N)M 0

(N)

P1(N)P0

(N)

R

X0(1) X1

(1)

X0(2) X1

(2)

X0(3) X1

(3)

M(N)


Agenda





5 Conclusions


Design Properties of Edon-R

Quasigroups of order 2256 and 2512

Construct quasigroups (Q,�) as isotopes of ((Z2w)8,+8), w = 32, 64Define three permutations πi : Zq

2 → Zq2 for 1 ≤ i ≤ 3, such that

X � Y ≡ π1(π2(X) +8 π3(Y ))

for all X,Y ∈ (Z2w)8

Define these operations as bitwise operations on w-bit values

1 Addition modulo 2w

2 Wordwise-rotation to the left for k positions3 Bitwise exclusive-OR


Design Properties of Edon-R – cont’d



Remarks

L1,1 and L2,1 transform the values by addition modulo 2w

L1,2 and L2,2 transform the values by XORing

π2 and π3 add diffusion and non-linear mixing separately on both X,Y

π1 introduces additional diffusion by means of a simple rotation

Overall design structure is a shapeless quasigroup of order r ≥ 2256


Agenda





5 Conclusions


Security Claims

Resistance against generic length extension attacks andmulticollision attacks due to the Wide-Pipe Design

Avoiding fixed points for the compression function RA fixed point is characterized by R(X) = XA cryptanalyst found: R(0) = 0Designers added constants to the transformations

Iterating Edon-R backwards is infeasibleInfeasability of solving non-linear quasigroup equationsFinding preimages and second-preimages: O(2n)

Finding free start collisions is infeasable

Provable resistance to differential cryptanalysis

Edon-R can be securely used with the HMAC

Any possible successful attack on SHA-2 family ofhash functions is unlikely to be applicable to Edon-R


Security Claims – cont’d

Worked out vulnerabilities

Multicollisions, multipreimages and fixed points(Klima, 2008)

Free start collisions, preimages and second-preimages(Khovratovich et al., 2008)

Key recovery attack on secret-prefix Edon-R(Leurent, 2009)


Agenda





5 Conclusions


Key Recovery Attack against Secret-prefix Edon-R

Results (Leurent, 2009)

Using Edon-R as a MAC with the secret prefix method is unsafe

It is possible to recover the secret key k with only two queries to thehash function

Attack takes an effort of O(25w), w = 32, 64 → O(25n/8)Author believes, it is a strong weakness in the design of Edon-R



What is a MAC?

Message Authentication Code

Used to authenticate messages by means of a secret key k

Hash functions can be used to with an additional secret key toproduce a MAC, such that

H : {0, 1}k × {0, 1}∗ → {0, 1}n

Construction (intuitive)

1 Prefix Method: MACk(M) = H(k||M)2 Postfix Method: MACk(M) = H(M ||k)3 Envelope Method: MACk(M) = H(k||M ||k)



Secret-prefix construction of Edon-RIn general, the prefix method to construct a MAC is weak,because length extension attacks are possible

Due to the wide-pipe design of Edon-R the secret-prefixconstruction is secure:

MACk = Edon-R(k||M)

If the key k is padded to a full block, k is equivalent to (P (0)0 , P

(0)1 )

The aim is to recover (P (0)0 , P

(0)1 ) by means of two queries


Key Recovery Attack against Secret-prefix Edon-RKey Recovery (Two queries are sufficient)

1 Edon-R(M)

RP (0)

M (0)

M (0)1

0

P (0)1

0 P (1)

P (1)1

0 TP (1)

1

2 Edon-R(M ′), such that M ′ = Mpad||{0, 1}n

RP (0)

M (0)

M (0)1

0

P (0)1

0 P (2)

P (2)1

0 TP (2)

1

RP (1)

M (1)

M (1)1

0

P (1)1

0



Let’s have a closer look at the compression functions

Second(!) query

M

P

P

0

0(1)

1(1)

(1)

M 1(1)

M 1(1)M 0

(1)

P1(2)P0

(2)

R

X0(1) X1

(1)

X0(2) X1

(2)

X0(3) X1

(3)

First query

M

P

P

0

0(0)

1(0)

(0)

M 1(0)

M 1(0)M 0

(0)

P1(1)P0

(1)

R

X0(1) X1

(1)

X0(2) X1

(2)

X0(3) X1

(3)


Key Recovery Attack against Secret-prefix Edon-RCompute X

(3)0

P(2)1 = P

(2)0 �X(3)

1 = (M (1)0 �X(3)

0 )� (X(2)1 �X(3)

0 ) (1)

Remember the quasigroup operation of Edon-R

X � Y ≡ π1(π2(X) +8 π3(Y ))

We can rewrite equation (1)

P(2)1 =

(π1(π2(M

(1)0 )) +8 π1(π3(X

(3)0 ))

)�(π1(π2(X

(2)1 )) +8 π1(π3(X

(3)0 ))

)U = π1(π3(X

(3)0 )) → U is unknown; recover X

(3)0 from U

C0 = π1(π2(M(1)0 )) → known constant

C1 = π1(π3(X(2)1 )) → known constant

P = (U + C0)� (U + C1)



Construct four block-designs (v, k, λ) from L1 and L2

1 (v, k, λ) = (8, 5, λ), λ ∈ {2, 3, 4} → L1,1, L2,1

2 (v, k, λ) = (8, 3, λ), λ ∈ {0, 1, 2} → L1,2, L2,2

L1 =

26666666664

0 7 1 3 2 4 6 54 1 7 6 3 0 5 27 0 4 2 5 3 1 61 4 0 5 6 2 7 32 3 6 7 1 5 0 45 2 3 1 7 6 4 03 6 5 0 4 7 2 16 5 2 4 0 1 3 7

37777777775=

»L1,1L1,2

–L2 =

26666666664

0 4 2 3 1 6 5 77 6 3 2 5 4 1 05 3 1 6 0 2 7 41 0 5 4 3 7 2 62 1 0 7 4 5 6 33 5 7 0 6 1 4 24 7 6 1 2 0 3 56 2 4 5 7 3 0 1

37777777775=

»L2,1L2,2

–

Each block-design characterizes an incidence matrix, i.e.(0, 1)-matrix, A1,A2, A3, and A4

bA1 =

26666666664

1 1 1 0 1 0 0 11 1 0 1 1 0 0 11 1 0 0 1 0 1 10 0 1 1 0 1 1 10 1 1 1 0 1 1 01 0 1 1 1 1 0 01 1 0 0 0 1 1 10 0 1 1 1 1 1 0

37777777775and so on . . .



Define the former introduced permutations π2, π3 in an algebraic form

π2(X) = A2(ROTLr(A1(X))

π3(Y ) = A4(ROTLr(A3(Y ))

It follows, that

P(2)1 = X � Y ≡ π1(π2(X) +8 π3(Y ))

= (U + C0)� (U + C1)

= π1

(A2(ROTLr(A1(U + C0)) + A4(ROTLr(A3(U + C1))

)Let P

(2)1 ∈ Z8

232 → (P (2)1 )[i] = (X � Y )[i], 0 ≤ i ≤ 7

Let U ∈ Z8232 , U =

∑7i=0 αiUi with αi ∈ Z232



Define three vectors Ui, 0 ≤ i ≤ 2, in the kernels of some submatricesof A1 and A3, such that

A1 ∗ U0 =[∗ ∗ 0 0 ∗ 0 0 ∗

]A1 ∗ U1 =

[∗ ∗ 0 0 ∗ 0 0 ∗

]A1 ∗ U2 =

[0 0 0 0 ∗ 0 ∗ ∗

]...

Laurent showed, that the vectors Ui, regardless of αi or βi, do not effect thefollowing output words

((X + α0U0)� (Y + β0U0))⊕ (X � Y ) =[∗ ∗ ∗ ∗ ∗ 0 0 0

]((X + α1U1)� (Y + β1U1))⊕ (X � Y ) =

[∗ ∗ ∗ ∗ ∗ 0 ∗ 0

]((X + α2U2)� (Y + β2U2))⊕ (X � Y ) =

[∗ ∗ ∗ ∗ ∗ ∗ ∗ 0

]Dennis Hoppe (BUW) Edon-R 6th May 2009 38 / 44


Observations

1 α0 has no effect on (P (2)1 )[5,6,7] = (X � Y )[5,6,7]

2 α1 has no effect on (P (2)1 )[5,7] = (X � Y )[5,7]

3 α2 has no effect on (P (2)1 )[7] = (X � Y )[7]

Let X ′ = X + αiUi and let Y ′ = Y + βiUi

(X ′ � Y ′)[5,6,7] = (X � Y )[5,6,7]

(X ′ � Y ′)[5,7] = (X � Y )[5,7]

(X ′ � Y ′)[7] = (X � Y )[7]



Algorithm: Recover U = π1(π3(X(3)0 ))

Input: C0, C1, P(2)1

Output: U ∈ Z8232

forall α3, . . . , α7 ∈ Z232 do

U ←∑7

i=3 αiUi, V ← (U + C0)� (U + C1);

if V [7] = P [7] thenforall α2 ∈ Z232 do

U ←∑7

i=2 αiUi, V ← (U + C0)� (U + C1);


U ←∑7

i=1 αiUi, V ← (U + C0)� (U + C1);


U ←∑7

i=0 αiUi, V ← (U + C0)� (U + C1);

if V = P thenreturn U



Summary

Attack applies two queries to the hash function to gain additionalinformation about a chaining value

Solve the equation P(2)1 = (U + C0)� (U + C1) for

U = π1(π3(X(3)0 )) to recover X

(3)0 by inverting both permutations

Algorithm takes O(25w), w ∈ {32, 64}, to compute U

Use X(3)0 to find P

(1)0 in the second compression function

Apply P(1)0 in the first compression function

Then, it is possible to invert the first compression function completely

to recover the secret key (P (0)0 , P

(0)1 )


Agenda





5 Conclusions


Conclusions

Edon-R is a SHA-3 candidate

Edon-R could not stand its strong security claims

Multi-collisions foundFixed points foundPreimages foundKey Recovery attack reveals insecure use as a MAC

Cryptanalysts exploit the (weak) compression function based onquasigroup operations, even so the designers claimed that iteratingthe compression function is infeasable

Cryptanalysts exploit the wide-pipe design to fix one part of thechaining value or message block

Nevertheless, the design of Edon-R is straight forward and the hashfunction is among the fastest in a perfomance comparison (twice asfast as SHA-2 family) (Fleischmann et al., 2009)


Referenzen

[Fleischmann et al. 2009] Fleischmann, E ; Forler, C ; Gorski, M: Classification of the SHA-3 Candidates. In:uni-weimar.de (2009). http://www.uni-weimar.de/cms/fileadmin/medien/medsicherheit/Research/SHA3/

Classification_of_the_SHA-3_Candidates.pdf

[Gligoroski et al. 2006a] Gligoroski, D ; Knapskog, S ; Andova, S: Cryptcoding-Encryption and Error-Correction Coding in aSingle Step. In: International Conference on Security and Management (2006), Jan.http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.130.6216&rep=rep1&type=pdf

[Gligoroski et al. 2005] Gligoroski, D ; Markovski, S ; Knapskog, S: A Fix of the MD4 Family of HashFunctions-Quasigroup Fold. In: NIST Cryptographic Hash Workshop (2005), Jan.http://www.itl.nist.gov/div893/csrc/groups/ST/hash/documents/Gligoroski_MD4Fix.pdf

[Gligoroski et al. 2008a] Gligoroski, D ; Markovski, S ; Knapskog, S: The Stream Cipher Edon80. In: LECTURE NOTESIN COMPUTER SCIENCE (2008), Jan. http://www.springerlink.com/index/q7860850832n2080.pdf

[Gligoroski et al. 2006b] Gligoroski, D ; Markovski, S ; Kocarev, L: Edon–R, an infinite family of cryptographic hashfunctions. In: Second NIST Cryptographic Hash Workshop (2006), Jan.http://csrc.ncsl.nist.gov/groups/ST/hash/documents/GLIGOROSKI_EdonR-ver06.pdf

[Gligoroski et al. 2008b] Gligoroski, Danilo ; Odegard, Rune S. ; Mihova, Marija: Cryptographic Hash Function EDON-R.(2008), Oct, S. 1–79

[Khovratovich et al. 2008] Khovratovich, Dmitry ; Nikolic, Ivica ; Weinmann, Ralf-Philipp: Cryptanalysis of Edon-R.(2008), Nov, 1–7. http://ehash.iaik.tugraz.at/uploads/7/74/Edon.pdf

[Klima 2008] Klima, Vlastimil: Multicollisions of EDON-R hash function and other observations. (2008), Nov, 1–11.http://cryptography.hyperlink.cz/BMW/EDONR_analysis_vk.pdf

[Leurent 2009] Leurent, Gaetan: Key Recovery Attack against Secret-prefix Edon-R5. In: Cryptology ePrint Archive, Report2009/135 (2009), Mar, 1–7. http://eprint.iacr.org/2009/135.pdf

[Lucks 2004] Lucks, Stefan: Design principles for iterated hash functions. In: IACR eprint archive (2004), Jan.http://mirror.cr.yp.to/eprint.iacr.org/2004/253.pdf


http://www.uni-weimar.de/cms/fileadmin/medien/medsicherheit/Research/SHA3/Classification_of_the_SHA-3_Candidates.pdf

http://www.uni-weimar.de/cms/fileadmin/medien/medsicherheit/Research/SHA3/Classification_of_the_SHA-3_Candidates.pdf

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.130.6216&rep=rep1&type=pdf

http://www.itl.nist.gov/div893/csrc/groups/ST/hash/documents/Gligoroski_MD4Fix.pdf

http://www.springerlink.com/index/q7860850832n2080.pdf

http://csrc.ncsl.nist.gov/groups/ST/hash/documents/GLIGOROSKI_EdonR-ver06.pdf

http://ehash.iaik.tugraz.at/uploads/7/74/Edon.pdf

http://cryptography.hyperlink.cz/BMW/EDONR_analysis_vk.pdf

http://eprint.iacr.org/2009/135.pdf

http://mirror.cr.yp.to/eprint.iacr.org/2004/253.pdf

cryptograhic hash function edon r fileagenda 1 cryptographic hash algorithm competition 2...

Documents