Blue Midnight Wish
May,12 2010 Liliya Andreicheva
Agenda
SHA3 competition Blue Midnight Wish design Tweaks to the 2nd round Security claims S.Thomsen attacks Rotational analysis Conclusion References
SHA3 competition ”NIST has opened a public competition to
develop a new cryptographic hash algorithm”
Initially 64 entries
1st round : 51 candidates
2nd round : 14 candidates
Blue Midnight Wish(BMW) Authors:
Danilo Gligoroski, Vlastimil Klima and their team
Norwegian University of Science and Technology
Cryptographic hash function with output size of nbits
32bit version supports n {224, 256}∈ 64bit version supports n {384, 512}∈ Using a block cipher of 16 rounds as part of
the compression function
BMW general scheme M – message block H chaining input f0 is a permutation
with input M xor H = Q f1 is a multi
permutation with inputs M and Q
f2 is a compression on input M and Q
Tweaks to the 2nd round
Tweaks apllied to f0 and f1
f0 rotation for chaining input H is added
f1 chaining value H is added to the input
Compression function : f0
Compression function : f1
Compression function: f2
Security claims
Collision resistance of approximately bits, n/2 Preimage resistance of approximately n bits Secondpreimage resistance of approximately n
− k bits for any message shorter than 2^k bits Resistance to lengthextension attacks Resistance to multicollision attacks
S.Thomsen attacks Pseudocryptanalysis on original BMW
Showed the scenario how to attack BMW with
the following complexities:
Nearcollision attack 2^14
Pseudocollision attack 2^(3n/8 +1)
Pseudo(second) preimage attack 2^(3n/4+1)
where n is the length of the input
S.Thomsen attacks(cont.)
Nearcollision attacks The strategy is to search for difference patterns of
the last few words of W, such that these differences do not spread too much in the last few rounds of f1 and f2
Pseudo attacks The idea is to fix some of the output words
Q(16,...,31),then f2 becomes simple. Thus fixing one of the input value attacker is controlling some of the words of chaining input H.
S.Thomsen attacks(cont.) Complexity:
Controlling 2 output words:− Pseudocollision attack 2^(7n/16)− Pseudopreimage attack 2^(7n/8)
Controlling 4 output words:− Pseudocollision attack 2^(3n/8 +1)− Pseudopreimage attack 2^(3n/4 +1)
Rotational analysis
Relatively new type of analysis Looking at the propagation of rotational pair((x,x
Conclusion
Attacks presented by Thomsen are infeasible Further investigation concerning rotational
analysis is needed
References Soren S. Thomsen Pseudocryptanalysis of Blue Midnight Wish.
Available online, 2009 Jian Guo, Soen S. Thomsen Distinguishers for the Compression
Function of Blue Midnight Wish with Probability 1. Available online, 2010
Soren S. Thomsen Pseudocryptanalysis of the Original Blue Midnight Wish. In S.Hong and T.Iwata, editors, Fast Software Encryption, LNCS, Seoul, South Korea, 2010. To appear
Ivica Nikolic, Josef Pieprzyk, Przemyslaw Sokolowski, Ron Steinfeld Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD. Available online, 2010 Soren S. Thomsen A nearcollision attack on the Blue Midnight Wish compression function. Version 2.0, available online, 2008
Thank you!
Questions?
Страница 1Страница 2Страница 3Страница 4Страница 5Страница 6Страница 7Страница 8Страница 9Страница 10Страница 11Страница 12Страница 13Страница 14Страница 15Страница 16Страница 17Страница 18Страница 19