How to Improve Rebound Attacks

Abstract. We analyze the internal permutations of Keccak, one of the NIST SHA-3 competition finalists, in regard to differential properties. By carefully studying the elements composing those permutations, we are able to derive most of the best known differential paths for up to 5 rounds. We use these differential paths in a rebound attack setting and adapt this powerful freedom degrees utilization in order to derive distinguishers for up to 8 rounds of the internal permutations of the submitted version of Keccak. The complexity of the 8 round distinguisher is 2 491.47 . Our results have been implemented and verified experimentally on a small version of Keccak. This is currently the best known differential attack against the internal permutations of Keccak.

show abstract

“…Also, the bottleneck of our attack is now p match . Using the techniques presented in [22] could help reducing the complexity of it. …”

Section: Results and Conclusionmentioning

confidence: 99%

Unaligned Rebound Attack: Application to Keccak

Duc

Guo

Peyrin

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In order to find solutions for the middle rounds (see Figure 4), we propose an algorithm inspired by the ones in [20,21]. As in [7,14], instead of dealing with the classical t 2 parallel c-bit SubBytes SBox applications, one can consider t parallel tc-bit SBoxes (named SuperSBoxes) each composed of two SBox layers surrounding one MixCells and one AddRoundConstant function.…”

Section: Finding a Conforming Pairmentioning

confidence: 99%

“…Since most rebound-based attacks actually required many such pairs, this was not much of a constraint. In parallel, other improvements on the truncated differential paths utilized [25] or on methods to merge lists [21] were proposed.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improved Cryptanalysis of AES-like Permutations

2013

Self Cite

View full text Add to dashboard Cite

Abstract. AES-based functions have attracted of a lot of analysis in the recent years, mainly due to the SHA-3 hash function competition. In particular, the rebound attack allowed to break several proposals and many improvements/variants of this method have been published. Yet, it remained an open question whether it was possible to reach one more round with this type of technique compared to the state-of-the-art. In this article, we close this open problem by providing a further improvement over the original rebound attack and its variants, that allows the attacker to control one more round in the middle of a differential path for an AES-like permutation. Our algorithm is based on lists merging as defined in [21] and we generalized the concept to non-full active truncated differential paths [25]. As an illustration, we applied our method to the internal permutations used in Grøstl, one of the five finalist hash functions of the SHA-3 competition. When entering this final phase, the designers tweaked the function so as to thwart attacks from Peyrin [24] that exploited relations between the internal permutations. Until our results, no analysis was published on Grøstl and the best results reached 8 and 7 rounds for the 256-bit and 512-bit version respectively. By applying our algorithm, we present new internal permutation distinguishers on 9 and 10 rounds respectively.

show abstract

“…Several improvements have appeared through the new analyses, like startfrom-the-middle attack [22] or Super-SBoxes [13,19], which allow to control three rounds in the middle, multinbounds [21] which extend the number of rounds analyzed by a better use of the freedom degrees (better ways of merging the inbounds were proposed in [24]), or non-fully-active states [27] that permits to reduce the complexity of the outbound part. In [17], a method for controlling four rounds in the middle with high complexity was proposed, and it allows to reach a total of 9 rounds with regards to distinguishers in the case of a large permutation size.…”

Section: Introductionmentioning

confidence: 99%

Multiple Limited-Birthday Distinguishers and Applications

Jean

Naya-Plasencia

Peyrin

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this article, we propose a new improvement of the rebound techniques, used for cryptanalyzing AES-like permutations during the past years. Our improvement, that allows to reduce the complexity of the attacks, increases the probability of the outbound part by considering a new type of differential paths. Moreover, we propose a new type of distinguisher, the multiple limited-birthday problem, based on the limited-birthday one, but where differences on the input and on the output might have randomized positions. We also discuss the generic complexity for solving this problem and provide a lower bound of it as well as we propose an efficient and generic algorithm for solving it. Our advances lead to improved distinguishing or collision results for many AES-based functions such as AES, ECHO, Grøstl, LED, PHOTON and Whirlpool.

show abstract

How to Improve Rebound Attacks

Cited by 41 publications

References 15 publications

Unaligned Rebound Attack: Application to Keccak

Unaligned Rebound Attack: Application to Keccak

Improved Cryptanalysis of AES-like Permutations

Multiple Limited-Birthday Distinguishers and Applications

Contact Info

Product

Resources

About