The π-cipher is one of the candidates of the CAESAR competition. One of the advertised features of the π-cipher is tag second-preimage resistance: it should be hard to generate a message with a given tag, even for the legitimate key holder (insider attack). In this note, we show that the generalized birthday attack of Wagner gives a practical tag second-preimage attack against the π-cipher

Leurent, Gaëtan

INRIA a CCSD electronic archive server

HAL Id: hal-00966794https://hal.inria.fr/hal-00966794v2Preprint submitted on 27 Mar 2014HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.Tag Second-preimage Attack against π-cipherGaëtan LeurentTo cite this version:Gaëtan Leurent. Tag Second-preimage Attack against π-cipher. 2014. ￿hal-00966794v2￿Tag Second-preimage Attack against π-cipherGaëtan LeurentInria, France⋆Abstract. The π-cipher is one of the candidates of the CAESAR competition. Oneof the advertised features of the π-cipher is tag second-preimage resistance: it shouldbe hard to generate a message with a given tag, even for the legitimate key holder(insider attack).In this note, we show that the generalized birthday attack of Wagner gives a practicaltag second-preimage attack against the π-cipher.1 IntroductionThe π-cipher [2] is an authenticated encryption algorithm submitted to the CAESARcompetition. One of the extra features advertised by the designers is tag second-preimage resistance: it should be hard to produce second-preimages of a given tag,even for an adversary who knows the secret key (most authenticated encryptionalgorithm do not have this feature, and an insider can easily generate tag second-preimages).As written in [2, 4.1], the tag generation of an m-block message with the π-ciphercan be written as:T = T ′′ ⊞8 e(1,M1)⊞8 e(2,M2)⊞8 · · ·⊞8 e(m,Mm)where e denotes a keyed function known to the key holder (the e-triplex), ⊞8 is acomponent-wise addition of vectors of 8 elements in Z2ω , and T′′ is the associateddata tag (known to the insider). The word-size ω is 16, 32, or 64, depending on thesecurity level. In a tag second-preimage attack, an insider wants to build a messageM reaching a fixed tag T̄ . Witout loss of generality, we assume T ′′ = 0 and T̄ = 0.In the submission document of π-cipher, the tag second-preimage problem is seenas a knapsack problem, and the main attack considered is a variant of an attack byCamion and Patarin [1]. However, the generalization of this attack due to Wagner [3]can break the problem more efficiently.2 Wagner’s Generalized Birthday AttackThe generalized birthday attack of Wagner is an attack against the m-sum problem:given m lists L1, L2, . . . , Lm of n-bit words, one find values l1 ∈ L1, . . . , lm ∈ Lmsuch that⊕mi=1 lm = 0. If each list contains at least 2n/m elements there is a goodprobability that a solution exists, but the best known algorithm is a simple birthdayattack in time and memory Õ(2n/2). One would first build two lists LA and LBwith all the sums of elements in L1, ...Lm/2 and Lm/2+1, ...Lm respectively, then sortLA and LB, and look for a match between the two lists (LA and LB contain 2n/2elements each).⋆ SECRET project-team, Gaetan.Leurent@inria.frWagner’s algorithm has a lower complexity, but it requires more elements in thelists. For instance, with m = 4, it uses lists of size 2n/3 in order to find one solutionusing Õ(2n/3) time and memory. The basic operation of the algorithm is the generaljoin ⊲⊳τ : L ⊲⊳τ L′ consists of all the elements of L× L′ that agree on their τ leastsignificant bits. More precisely, the operation can be defined over list of values withassociated data:L ⊲⊳τ L′ ={(l ⊕ l′, (a, a′)) ∣∣ (l, a) ∈ L, (l′, a′) ∈ L′, lowτ (l ⊕ l′) = 0}.The join operation is computed efficiently by sorting the lists L and L′ accordingto the lower τ bits, and stepping through the lists simultaneously in order to findvalues that agree on their low bits. Moreover, the sorting can be done in linear timeusing a hash table, or a radix sort.L1 L2 L3 L4L12⊲⊳n/3L34⊲⊳n/3L1234⊲⊳2n/34 lists of 2n/3 elements2 lists of 2n/3 elementswith 2n/3 zeros1 list of 2n/3 elementswith 22n/3 zerosFig. 1. Wagner’s algorithm for m = 4The generalized birthday algorithm for m = 4 is described by Figure 1. We firstbuild the lists L12 = L1 ⊲⊳n/3 L2 and L34 = L3 ⊲⊳n/3 L4, containing about 2n/3elements. Next, we build L1234 = L12 ⊲⊳2n/3 L34. Since the elements of L12 and L34already agree on their n/3 lower bits, we are only matching bits n/3 to 2n/3, so westill expect to find 2n/3 elements. Finally, we expect one of the elements of L1234 tobe zero. This can be generalized to any m that is a power of two, using a binarytree: if m = 2a, we need m lists of 2n/(a+1) elements and the time and memory usedby the algorithm is 2a · r2n/(a+1). The algorithm for m = 8 is shown by Figure 2.3 Application to the π-cipherIn order to apply this attack to the π-cipher, we need to solve the m-sum problem forthe word-wise modular addition ⊞8, instead of the exclusive-or ⊕. Wagner showedhow to solve the generalized birthday problem with a modular addition, and histrick also works for the word-wise modular addition. More precisely, we have tomodify the join operator to:L ◮◭τ L′ ={(l ⊞8 l′, (a, a′)) ∣∣ (l, a) ∈ L, (l′, a′) ∈ L′, lowτ (l ⊞8 l′) = 0}.Since the word-wise modular addition ⊞8 only has carries from the low order bitsto the high order bits, when x and y have their τ low-order bits set to zero, x⊞8 yalso has τ low-order bits set to zero. Moreover, the join ◮◭ can still be computedefficiently. We first negate the list L and define −L = {(−l, a) | (l, a) ∈ L}, where−l is the additive inverse with regard to the word-wise addition, i.e. l ⊞8 (−l) = 0.Then we sort −L and L′ according to their lower τ bits, and step through the listsin parallel. When an element of −L and an element of L′ agree on their low bit, thecorresponding sum will have its low bits equal to zero. Therefore, this variant ofWagner’s algorithm is suitable for a tag second-preimage attack on the π-cipher.We give a full description of an attack with ω = 16 in Algorithm 1; this attackuses 8 lists of size 232 (illustrated by Figure 2), i.e. we consider an 8-block message,with 232 possibilities for each block. This gives a complexity of 235. More generally,we can apply Wagner’s attack to different versions of π-cipher (i.e. with differentvalues of ω), and several trade-offs between the message length and the attackcomplexity are possible. We give some parameters in Table 1.Table 1. Attack parametersOptimal parameters Short messagesω m |L| Complexity m |L| Complexity16 211 211 222 23 232 23532 216 215 231 27 232 23964 222 223 245 215 232 247L1 L2 L3 L4 L5 L6 L7 L8L12⊲⊳n/4L34⊲⊳n/4L56⊲⊳n/4L78⊲⊳n/4L1234⊲⊳2n/4L5678⊲⊳2n/4L12345678⊲⊳3n/48 lists of 2n/4 elements4 lists of 2n/4 elementswith 2n/4 zeros2 lists of 2n/4 elementswith 22n/4 zeros1 list of 2n/4 elementswith 23n/4 zerosFig. 2. Wagner’s algorithm for m = 8References1. Camion, P., Patarin, J.: The knapsack hash function proposed at crypto’89 can be broken. In:Davies, D.W. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 547, pp. 39–53.Springer (1991)2. Gligoroski, D., Mihajloska, H., Samardjiska, S., Jacobsen, H., El-Hadedy, M., Jensen, R.E.:π-Cipher. Submission to CAESAR. Available from: http://competitions.cr.yp.to/round1/picipherv1.pdf (v1) (March 2014)3. Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO. Lecture Notes inComputer Science, vol. 2442, pp. 288–303. Springer (2002)Algorithm 1 Short message attack with ω = 16 and m = 8.for 0 ≤ i < 8 dofor 0 ≤ j < 232 doL[i][j]← (e(i, [j]), j)end forend forL[ 8]←Merge(L[0], L[1], 32)L[ 9]←Merge(L[2], L[3], 32)L[10]←Merge(L[4], L[5], 32)L[11]←Merge(L[6], L[7], 32)L[12]←Merge(L[8], L[9], 64)L[13]←Merge(L[10], L[11], 64)L[14]←Merge(L[12], L[13], 96)for all (l, (((a1, a2), (a3, a4)), ((a5, a6), (a7, a8)))) ∈ L[14] doif l = 0 thenreturn [a1] ‖ [a2] ‖ [a3] ‖ [a4] ‖ [a5] ‖ [a6] ‖ [a7] ‖ [a8]end ifend forfunction Merge(L,L′, τ)Sort(L, −lowτ )Sort(L′, lowτ )i← 0j ← 0M ← ∅while i < |L| and j < |L′| do(l, a)← L[i](l′, a′)← L′[j]if lowτ (−l) = lowτ (l′) thenM ←M ∪ {(l ⊞8 l′, (a, a′))}else if lowτ (−l) < lowτ (l′) theni← i+ 1elsej ← j + 1end ifend whilereturn Mend function

Tag Second-preimage Attack against π-cipher

https://hal.inria.fr/hal-00966794/document

Tag Second-preimage Attack against π-cipher

Abstract

Similar works

Full text

Available Versions

INRIA a CCSD electronic archive server