Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Hash Function *
|
|
- Irma Taylor
- 6 years ago
- Views:
Transcription
1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 30, (014) Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Hash Function * JIAN ZOU 1,, WENLING WU 1, SHUANG WU 1 AND LE DONG 1, 1 TCA Institute of Software Chinese Academy of Sciences Beijing, P.R. China Graduate University of Chinese Academy of Sciences Beijing, P.R. China {zoujian; wwl; wushuang; dongle}@is.iscas.ac.cn The Grøstl hash function is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we propose some improved (pseudo) preimage attacks on the Grøstl hash function by using some techniques, such as subspace preimage attack and the guess-and-determine technique. We present the improved pseudo preimage attacks on 5-round Grøstl-56 hash function and 8-round Grøstl-51 hash function, and the complexities of these attacks are ( 39.90, ) (in time and memory) and ( , 499 ), respectively. We also extend the pseudo preimage from 5 rounds to 6 rounds for Grøstl-56 hash function, besides the biclique attack. Furthermore, we propose the pseudo second preimage attack on 6-round Grøstl-56 hash function. The complexities of our 6-round (pseudo) preimage and second preimage attacks are ( 53.6, ) and ( 51.0, 5.0 ), respectively. As far as we know, these are the best known preimage attacks on round-reduced Grøstl hash function. Keywords: Grøstl, hash function, meet-in-the-middle, guess-and-determine, preimage attack, initial structure 1. INTRODUCTION Cryptographic hash function is an important primitive in modern cryptography, it is used in many applications, including MAC algorithms, digital signature schemes and so on. In general, hash function must satisfy three security requirements: preimage resistance, second preimage resistance and collision resistance. After the pioneering work of Wang et al., many new methods were proposed to attack hash functions. There is a strong need for a secure and efficient hash function since the cryptanalysis of hash functions has been significantly improved. In 007, NIST announced the SHA-3 competition [8] in order to select a secure hash function design. Grøstl [4] is one of the five finalists in the third round of SHA-3 competition, which is proposed by Gauravaram et al. Grøstl is an iterated hash function based on the Merkle- Damgård design. It adopts the wide-pipe compression function and follows the AES design strategy. Since the state is double-sized as the hash value, it is difficult to construct an attack on Grøstl hash function. In FSE 008, Leurent [7] proposed the first preimage attack on the full MD4 hash function. From then on, many preimage attacks were published and some novel tech- Received January 11, 013; revised April 1 & July 10 & October 18, 013; accepted November 3, 013. Communicated by Vincent Rijmen. * This work is supported by The National Basic Research Program of China 973 Program (013CB33800); The National Natural Science Foundation of China (617476, ). 1789
2 1790 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG niques were proposed. One of them was the meet-in-the-middle (MitM) preimage attack with the splice-and-cut technique. This method was first proposed by Aoki and Sasaki to attack MD4 []. The MitM preimage attack has been applied to many hash functions such as MD4 [, 7], MD5 [11], Tiger [5], HAVAL-3/4 [10], RIPEMD [15], SHA-0/1 [3], and SHA- [1, 5]. In CRYPTO 009, Aoki and Sasaki [3] combined the MitM attack with the guessing of carry bits technique to improve their preimage attacks on SHA-0 and SHA-1. In FSE 011, Sasaki [9] proposed the MitM preimage attack on AES hash mode for the first time. In FSE 01, Wu et al. [16] improved its complexity and proposed the pseudo preimage attack on Grøstl hash function. Firstly, the pseudo preimage attack of Wu et al. was converted into a three-sum problem. Then, utilizing the b-bit partial preimage technique, the authors made their complexity lower than the birthday bound. In this article, we found out that the attack of Wu et al. could be divided into twophase MitM attacks. It was only necessary to solve the subspace preimage instead of the b-bit partial preimage in the first phase of the MitM attack. Then the left relationships would be matched in the second time MitM attack. The detail of the subspace preimage was shown in the following sections. Compared with b-bit partial preimage, the subspace preimage could achieve some balance between the two-phase MitM attacks, and then reduce the overall complexity. Using the subspace preimage technique, we proposed an improved pseudo preimage attack on 5-round Grøstl-56 hash function. Then we combined the guess-and-determine technique with the MitM attack to improve the pseudo preimage attack on 8-round Grøstl-51 hash function. We also proposed a pseudo preimage attack and a pseudo second preimage attack on 6-round Grøstl-56 hash function by using a complicated initial structure. Our results are summarized in Table 1. Table 1. Comparison to previous works. Algorithm Target Attack Type Rounds Time Memory Source Hash Function Collision 3 64 [13] Compression Function Semi-Free-Start Collision [13] Permutation Distinguisher [1] [16] Grøstl-56 Output Transformation Preimage [6] Sect [16] Pseudo Sect.4 Preimage Hash Function Sect.6 Pseudo Second Preimage Sect.7 Hash Function Collision 3 19 [13] Compression Function Semi-Free-Start Collision [1] Grøstl [16] Output Transformation Preimage Sect.5.1 Hash Function Pseudo [16] Hash Function Preimage Sect.5
3 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1791 This paper is organized as follows. We describe Grøstl hash function in Section. In Section 3, we make a brief introduction to the previous work and our improvement work on Grøstl. Then we give our attacks on Grøstl in Sections 4-7. Section 8 concludes this paper..1 Specification of Grøstl. SPECIFICATIONS AND NOTATIONS Grøstl adopts a wide-pipe design. The chaining values are 51-bit and 104-bit for Grøstl-56 and Grøstl-51, respectively. The padding rule is omitted here, since it is not involved in our attacks. Assume a message is padded and divided into message blocks M 0, M 1,, M k-1. The hash value h is generated as follows: CV 0 IV, CV i+1 CF(CV i, M i ) for i = 0, 1,, k 1, h = Trunc n (P(CV k )CV k ). Here IV is the initial value, and CF(CV i, M i ) is the compression function of Grøstl. P(CV k ) is a permutation that is a component of the compression function and will be defined later. Trunc n ( ) is the truncation function. The compression function uses two permutations P( ) and Q( ), and computes as follows (also in Fig. 1): CF(CV i, M i ) = P(CV i M i ) Q(M i ) CV i. Fig. 1. Compression function and Output transformation. Fig.. Byte positions for Grøstl-56. Here, byte positions in a state S for Grøstl-56 hash function are denoted by integer numbers N, N {0, 1,,, 63}, as shown in Fig.. We often denote several bytes of state S by S[a, b, ], e.g. 8 bytes in the rightmost column are denoted by S[56, 57,, 63]. Here CV i is the chaining value and M i is the message block. P( ) and Q( ) are AESlike permutations with 8 8 and 8 16 sized states for Grøstl-56 and Grøstl-51, respectively. Grøstl-56 adopts 10-round P( ) and Q( ). Grøstl-51 uses 14-round P( ) and Q( ). The round function of the permutations consists of the following four operations: AddConstant: The AddConstant operation xors a round constant to the state. SubBytes: The SubBytes transformation applies an S-box to each cell of the state. ShiftRows: The ShiftRows transformation cyclically rotates the cells of the ith row leftward by a shift vector (define later). MixColumns: In the MixColumns operation, each column of the matrix is multiplied by an MDS matrix.
4 179 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG We use AC, SB, SR and MC to denote these transformations for short. The shift vectors used in P( ) and Q( ) are different. P( ) in Grøstl-56 uses (0, 1,, 3, 4, 5, 6, 7) and in Grøstl-51 uses (0, 1,, 3, 4, 5, 6, 11). Q( ) in Grøstl-56 uses (1, 3, 5, 7, 0,, 4, 6) and in Grøstl-51 uses (1, 3, 5, 11, 0,, 4, 6). For a detailed explanation, we refer to the original paper [4]. As shown in the submission document of Grøstl [4], if we make CV i = CV i M i, then the compression function can be rewritten as CF( CV, M ) P( CV ') CV ' Q( M ) M. i i i i i i This important property will be used in our attacks.. Definition of Attacks Suppose that the range of the target function H is {0, 1} n. Several attacks are defined as follows: Definition 1 (Preimage Attack): Given IV and t, find M such that H (IV, M) = t. Definition (Pseudo Preimage Attack): Given t, find (IV, M) such that H (IV, M) = t. Definition 3 (Partial Preimage Attack): Given IV and t 0, find M such that H (IV, M) = t 0 * (or Trunc s (H (IV, M)) = t 0 ), where t 0 is an s-bit value and Trunc s ( ) is the truncation function. Definition 4 (Subspace Preimage Attack): Given IV and t, find M such that L(H(IV, M)) = t, where L( ) is a function with a range of {0,1} s and s n. Definition 5 (Pseudo Second Preimage Attack): Given H(IV 1, M 1 ) = t, find (IV, M ) such that H(IV, M ) = H(IV 1, M 1 ) = t. The partial preimage attack is used by Wu et al. [16] for the intermediate step of the pseudo preimage attack on Grøstl hash function. In this paper, our 5-round and 8-round pseudo preimage attacks on Grøstl hash function are based on subspace preimage attack. Specifically, by finding preimages in a linear subspace (with a linear function L( )), we can reduce the overall complexity of the previous attack. The details will be described in the following sections. 3.1 Previous Works 3. PREVIOUS WORKS AND OUR IMPROVEMENT In FSE 01, Wu et al. [16] proposed the pseudo preimage attacks on Grøstl hash function. Their ideas can be summarized as below. Suppose the length of the hash output is n-bit and the state size is n-bit. To find a pseudo preimage (CV, M) of Grøstl, it is desirable to invert the output transformation of Grøstl. Let X = CF (CV, M), then X is the
5 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1793 preimage of the output transformation. With H = CV M, we get (P(H) H) (Q(M) M) X = 0. Then the pseudo preimage attack turns into a three-sum problem. Using four parameters x 1, x, x 3 and b, the attack process can be described as follows (also in Fig. 3): Step 1: Find x1 preimages X of the output transformation and store them in a lookup table L 1. 3 Step : Find x H such that the leftmost b bits of P(H) H are zero. This step is considered to find partial zero preimages on P(H) H. Then store P(H) H in a lookup table L. Step 3: Find x random M with the correct padding and calculate Q(M) M. Check if there exists an entry in L 1 that matches the leftmost b bits of Q(M) M. Then x x b partial matches Q(M) M X, whose leftmost b bits are all zero, are expected to remain Step 4: For each of the x x b Q(M) M X remained in Step 3, check if there exists an entry in L that matches the remaining (n b) bits. Once a full match is found, a pseudo preimage of Grøstl hash function is found. Fig. 3. Outline for Wu s attack on Grøstl. Fig. 4. Outline for our attack on Grøstl. 1 Suppose for Grøstl with n-bit state, it needs C ( n, n) computations to find a fixed position n-bit partial preimage of X and it needs C ( n, b) computations to find a chosen position b-bit partial preimage of P(H) H. Then the complexity for each step can be 1+ 1(, ) calculated as follows: In Step 1, building the lookup table L 1 takes x C n n computations and x1 3+ (, ) memory. In Step, building the lookup table L takes x C n b computations and x3 memory. In Step 3, it takes x Q calls to calculate Q(M) M in order to check the partial match in lookup table L 1. The complexity is equivalent to x -1 compression function calls. In Step 4, checking the final match for x x b candidates needs 1+ - x x b 1+ - table lookup, which can be equivalently regarded as x x b C TL compression function calls. C TL is the complexity of one table lookup, where unit one is one compression function call. C TL is chosen as 1/640 and 1/048 for 6-round Grøstl-56 and 8-round
6 1794 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG Grøstl-51, respectively. And the overall complexity to compute the pseudo preimage of x1+ C1( n, n) x3+ C( n, b) x-1 x1+ x-b 1 3 Grøstl is: C TL, with memory requirement of x + x. x Note that the condition of 1 + x + x 3 - n 1should be satisfied in order to find one final match. 3. Outline for Our Pseudo Preimage Attack on the Grøstl Hash Function Since the attack of Wu et al. can be divided into two-phase MitM attack, we just need the state to satisfy some linear relationships instead of finding a b-bit partial pre- image in the first phase of the MitM attack. We can reduce the complexity of C ( n, b) in this way. Since the overall complexity of Wu et al. is calculated by x 1, x, x 3, C 1 (n, n) and C (n, b), if we can reduce the complexity of C ( n, b) and find the balance between other parameters, the overall complexity can be reduced. We will show how to find the balance in the following sections. As a result, we propose the subspace preimage attack to improve the b-bit partial preimage attack. Subspace preimage attack can be defined by a linear subspace (with a linear function L( )). In subspace preimage attack process, we store the L(A) in the lookup table L Sub, and check if there exists an entry in L Sub that L(A) is equal to L(B). If we find one, L(A B) is equal to 0, which means A B is in the linear subspace. In other words, we just match the linear relationship in subspace preimage attack. In this way, we can decrease the load for the partial matching. An example of the subspace preimage attack is shown in Fig. 5. We should compute the 16-bit state value (red) in partial preimage attack, however we just need to find the value of the two states (red) to satisfy a given 8-bit linear relationship (decided by the blue states) in the subspace preimage attack. Note that the subspace preimage attack is valid when the whole attack process can be divided into two-phase MitM attack (also in Fig. 4). Fig. 5. An example of subspace preimage attack. In [16], the notation (, ) C n b stands for the complexity to find a b-bit chosen position partial preimage of P(H) H. We adopt the same notation for the subspace preimage. Here, b denotes the bit size of the output of the linear function L( ). The linear subspace defined by the equation L(x) = t 0 whose dimension is n b. Note that a b-bit partial preimage is a special kind of subspace preimage, where the linear function for the subspace is L(x) = Trun b (x). As shown in Fig. 4, the attack can be described as follows: we adopt the subspace preimage attack in the first stage of MitM attack. Then we match the left bytes in the second time MitM attack. Using the same four parameters x 1, x, x 3 and b, our attack process can be described as follows:
7 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1795 Step 1: Find x1 preimages X of the output transformation and store them in a lookup table L 1. Step : Find x3 subspace preimages of P(H) H. Then store P(H) H in a lookup table L. Step 3: Find x random M with the correct padding and calculate Q(M) M. Check if there exists an entry in L 1 that Q(M) M X is in the same subspace of P(H) H Then x x b partial matches Q(M) M X are expected to remain Step 4: For each of the x x b QM ( ) M Xremained in Step 3, check whether there exists an entry in L that matches the remaining (n b) bits. Once a full match is found, a pseudo preimage of Grøstl hash function is found. Then the overall complexity to compute the pseudo preimage of Grøstl is similar to Wu et al. [16] and can be written as: x1+ C1( n, n) x3+ C( n, b) x-1 x1+ x-b C TL, (1) 1 3 with the memory requirement of x + x. Note that our subspace preimage attack just improve the complexity of C ( n, b ). 4. IMPROVED PSEUDO PREIMAGE ATTACK ON 5-ROUND GRØSTL-56 HASH FUNCTION According to Eq. (1), the overall complexity to compute the pseudo preimage of Grøstl depends on parameters: x 1, x, x 3, C 1 (n, n) and C (n, b). 1 Since Wu et al. [16] have proved that their method to compute C (51,56) = 06 for 1 5-round Grøstl-56 is optimal, it seems impossible to improve the C (51,56). However we find that C (51, b) can be optimized by the subspace preimage attack. We will show our techniques in this section. As a result, we can improve the overall complexity of pseudo preimage attack on 5-round Grøstl Subspace Preimage Attack on P(H) H We show the chunk separation for the subspace preimage attack in Fig. 6. As shown in Fig. 6, we adopt the MitM attack here and there are five colors shown in it. The red/ blue color bytes mean neutral bytes. They are independent from each other. The white color bytes stand for the bytes whose values are affected by both red and blue bytes, and we cannot determine their values until a partial match is found. The gray bytes are constants, which we can choose randomly in the initial structure. The yellow (principal diagonal) bytes are truncated bytes. For convenience, some parameters for the MitM attack should be presented: the matching point size m, the freedom degrees D r (corresponding to red bytes) and D b (corresponding to blue bytes). Without loss of generality, we assume that D b D r. We use
8 1796 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG AC SB SR MC AC SB SR MC AC SB SR MC Initial structure AC SB SR MC AC SB SR MC Matching point Fig. 6. Chunk separation of 5-round chosen position subspace preimage attack on P(H) H for Grøstl-56. (d r, d b ) to indicate the actually used freedom degrees. The MitM preimage attack can be described in the following steps: Step 1: Set random values to constants in the initial structure. Step : For all possible dr values of red bytes, compute backward from the initial structure and obtain the values at the matching point. Store the values in a lookup table L r. Step 3: For all possible db values of blue bytes, compute forward from the initial structure and obtain the results at the matching point. Check if there exists an entry in L r that matches the result at the matching point. Step 4: If no full match has been found, repeat the above 3 steps. In Fig. 6, freedom degrees for the red and blue bytes are D r (= 48 bits) and D b (= 64 bits). Besides, the matching point size is m max (= 64 bits), since we can construct 64 bits linear relationship for the last four columns. If we just set d r = d b = 48 bits and m best = 48 bits, we can find 48 (= / 48 ) 48-bit subspace preimages with the complexity of 48. It means that a 48-bit subspace preimage is found with the complexity of 0 (= 48 / 48 ). Here the complexity is measured by compression function calls. It takes about half P ( ) calls in the MitM attack, i.e. 1/4 compression function calls to evaluate the matching point for each direction. Therefore the complexity has a fraction C (51,48) - 0 : =. We will multiply the same coefficient in the following of this paper. The complexity of C( 51,48) in our attack is smaller than the complexity of C ( 51,31) 14 in Wu s attack. 1 With C ( 51,56) 06 C( 51,48) and, we can compute the best overall complexity of the pseudo preimage attack for 5-round Grøstl-56. When b = 48, x 1 = 3.4, x = 39.4 and x 3 = 40.4, we can improve the overall complexity to about Memory requirement is about 40.4.
9 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL IMPROVED PSEUDO PREIMAGE ATTACK ON 8-ROUND GRØSTL-51 HASH FUNCTION In this section, we will discuss how to reduce the overall complexity of the 8-round pseudo preimage attack on Grøstl-51 hash function by improving the complexity of 1 C (104,51) and C (104, b ). 5.1 Preimage Attack on 8-round Grøstl-51 Output Transformation Our 8-round preimage attack on the output transformation of Grøstl-51 combines the guess-and-determine technique with the MitM attack. The guess-and-determine technique was firstly used in the preimage attack on SHA-0/SHA-1 by Aoki and Sasaki [3]. By guessing some unknown bytes, all the possible values of the guessed bytes are used as extra freedom degrees in the MitM attack. As a result, we can obtain enough matching points. Note that the guessed bytes are extra constraints after finding a partial match, and we should check the guessed value to produce a valid preimage. We will show more details about the guessing technique in the following attack algorithm. The chunk separation of the 8-round attack (combine the guess-and-determine technique with the MitM attack) is shown in Fig. 7. Since Grøstl-51 compression function has slow diffusion, we can construct a -round initial structure easily. As shown in Fig. 7, we use the purple bytes (counter-diagonal) as the guessed bytes and other colors are the same meanings as described in the MitM attack. In order to evaluate the complexity for this attack, we should define these parameters: freedom degrees in red and blue bits (D r, D b ), the guessed red and blue bits (D gr, D gb ), the bits of the matching point m and the bits of the partial preimage size b. Here we also use (d r, d b ) to denote the actually used freedom degrees. The attack procedure is similar to the MitM attack which can be described as follows: Step 1: Set the constants in the initial structure randomly. Step : For all possible values dr of the red bytes and Dgr of the guessed red bytes, compute backward from the initial structure and obtain the value at the matching point. Store the values in a lookup table L. Step 3: For all possible value d D b of the blue bytes and gb of the guessed blue bytes, compute forward from the initial structure and obtain the value at the matching point. Check if there exists an entry in L that matches the result at the matching point. The expected number of the partial matches is dr dbdgr Dgb m. Step 4: Once a partial match is found; compute and check if the guessed value is right. Dgr Dgb d The probability of the validity is. There are r d b m valid partial matches left. Then we continue the computation and check the full match. The probability that a partial match is a full match is n ( ) m. Step 5: The success probability for the above 4 steps (from Step 1 to Step 4) is ( ) ( ) d r d b D gr D gb m gr gb r b D D nm d d n. Then we should repeat the above four steps
10 1798 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG ndr db times to find a full match. The complexity for each step can be calculated as follows: In Step, building the d lookup table L takes r D gr d computations and memory. In Step 3, it takes b D gb computations to find the partial matches. The expected number of the partial matches is dr dbdgr Dgb m dr dbdgr Dgb m. In Step 4, testing all the partial matches needs computations. The probability of the validity is, and there are r d b m valid partial ( Dgr Dgb ) d + ndr db matches left. In Step 5, we should repeat the above four steps times. Then the complexity of the above attack algorithm is: nd r + b + r + b + + r d d D b gr d Dgb d d Dgr Dgb m ( ). () In Fig. 7, the parameters for the attack on the output transformation of 8-round Grøstl are as follows: d r = d b = 80 bits, D gr = D gb = 40 bits, m = 144 bits and n = 51 bits. According to Eq. (), the complexity of our attack can be calculated as C 1(104,51) = - 51 ( ) 470 compression function calls. The memory requirement is = 10. Then the complexity of C 1(104,51) 470 in our attack is smaller than the complexity of C 1(104,51) 495 in Wu s attack. Note that the guess-and-determine technique is especially useful for the slow diffusion target. Fig. 7. Chunk separation of preimage attack on 8-round Grøstl-51 output transformation.
11 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL Subspace Preimage Attack on P(H)H We show the chunk separation of subspace preimage attack on P(H)H in Fig. 8. Note that we do not adopt the guess-and-determine technique here, because we cannot find a good guess-and-determine way to make the complexity better than the simple MitM attack. We find out the guess-and-determine method is not fit for the b-bit subspace preimage attack when b is small. The parameters for the MitM attack: the freedom degrees D r = 16 bits, D b = 16 bits. The size of matching point b max is 3 bits. We set d r = d b = b best = 16 bits, and then we can find 16 (= / 16 ) 16-bit subspace preimages with the complexity of 16. It means that a 16-bit subspace preimage is found with the complexity of 0 (= 16 / 16 ). The complexity is C (104,16) 0. C According to Eq. (1) and 1 (104,51) 470 C, (104,16), we can rewrite the overx all complexity as 1470 x3 x1 x1x16 C TL. When b = 16, x 1 = 7, x = 498 and x 3 = 499, it has the minimum complexity The memory requirement is 499. Note that we can use the memoryless MitM attack in our pseudo preimage attack, but the memoryless MitM attack leads to a higher complexity. Moreover, the memory requirement of our attack is mainly on the generalized birthday attack [14], which is much bigger than the requirement in the MitM preimage attacks. As a result, we do not use the memoryless MitM technique. Fig. 8. Chunk separation of 8-round chosen position subspace preimage attack on P(H) H for Grøstl-51.
12 1800 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG 6. PSEUDO PREIMAGE ATTACK ON 6-ROUND GRØSTL-56 HASH FUNCTION Since Grøstl-56 compression function achieves full diffusion in two rounds, the previous techniques only can attack 5-round Grøstl-56. Using so-called biclique technique, Khovratovich [6] has proposed a 6-round attack on Grøstl-56 output transformation function. 6.1 Preimage Attack on 6-round Grøstl-56 Output Transformation Our 6-round preimage attack is obtained by combining the MitM attack with a complicated initial structure. The detail of the initial structure is shown as follows (also in Fig. 9): Fig. 9. Chunk separation of preimage attack on 6-round Grøstl-56 output transformation. Step 1: Randomly set the State value #6[1,3,5,7,8,10,1,14,17,19,1,3,4,6,8,30] (gray). Step : Set the value of the State #4[0,5,6,7,8,9,14,15,16,17,18,3,4,5,6,7] (blue) so that the chosen 4 bytes at State #3[7,14,1,8] (red) can be achieved through the Inverse- MixColumns operation. Step 3: For each value of the State #4[0,5,6,7,8,9,14,15,16,17,18,3,4,5,6,7] (blue), we can calculate through the SubBytes and ShiftRows operations and get the corresponding values of the State #5[0,1,,3,8,9,10,15,16,17,,3,4,9,30,31] (blue). Step 4: With the known values of State #5 (blue) and State #6 (gray), we calculate the rest blue bytes of State #5 and State #6 through the MixColumns operation. Step 5: With the calculated bytes #5[4,5,6,7,11,1,13,14,18,19,0,1,5,6,7,8], we compute the values of #4[33,34,35,36,4,43,44,45,51,5,53,54,60,61,6,63] through the Inverse-ShiftRows and Inverse-SubBytes operations. We check whether the values of the
13 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1801 State #4[33,34,35,36,4,43,44,45,51,5,53,54,60,61,6,63] satisfy the linear relationship so that the chosen 4 bytes at #3[35,4,49,56] can be achieved through the Inverse-Mix- Columns operation. For Grøstl-56 compression function, we suppose that it needs C r computations to find a suitable initial structure for the forward direction (from #6 to #8) and it needs C b computations to find a suitable initial structure for the backward direction (from #6 to #4). Then the complexity to find a suitable initial structure can be written as follows: ndbdr d ( r Cr dbcb dbdr m n Cr db Cbdr m ) ( ). (3) Note that the initial structure is from State #4 to State #8, the above steps just shows the process from State #6 to State #4 (backward direction). The process form State #6 to State #8 (forward direction) is similar to the process from State #6 to State #4, and we omit the details. The state values of #4[33,34,35,36,4,43,44,45,51,5,53,54,60,61,6,63] in Step 5 should satisfy an 8-bit linear relationship in each column, so we should repeat the above 5 steps 3 times to get an initial structure that satisfies our requirements. Compared with the guess-and-determine MitM attack, our new attack has two advantages: 1. We do not require the matching points m > D b +D r. It only requires d r > C b and d b > C r.. There are no guessed bytes; we do not have to check if the guessed values are right. Therefore this attack is suitable for the partial preimage attack. The parameters for this attack are as follows: C r = C b = 3 bits, d r = d b = 40 bits, m = 8 bits and n = 56 bits. According to Eq. (3), the complexity is C 1 (51,56) = - 56 ( ) 46 compression function calls. Note that the complexity of ( 46, 8 ) (time, memory) in our attack is smaller than ( 51, 51 ) in Khovratovich attack [6]. 6. Preimage Attack on P(H) H Since the guess-and-determine MitM attack is not suitable for the partial preimage attack, our new 6-round preimage attack is suitable to achieve a better C 1(n,b). As shown in Fig. 9, the parameters for our attack are as follows: C r = C b = 3 bits, m = 8 bits. We set d r = d b = 40 bits, then 8 (= / 8 ) 8-bit subspace preimages can be found with a complexity of 8. It means that an 8-bit subspace preimage can be found with a complexity of 0 (= 8 / 8 ). Then the complexity is C (51,8) = According to Eq. (1) and C 1(51,56) 46, C (51,8) -, we can rewrite the overall complexity as x x x -1 + x 1 +x -8 C TL. When x 1 = 5.67, x = 5.67, b = 8 and x 3 = 53.67, the minimum complexity is The memory requirement is PSEUDO SECOND PREIMAGE ATTACK ON 6-ROUND GRØSTL-56 HASH FUNCTION Given Grøstl (CV 0, M 0, M 1 ) = h, we want to find another (CV 0, M 0, M 1 ) such that
14 180 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG Grøstl(CV 0, M 0, M 1 ) = h. Let CV 1 = CF (CV 0, M 0 ), then CV 1 is the input to the last block of compression function. If we want to find the pseudo second preimage of Grøstl, then h, CV 1 and M 1 are known to us. Note that M 1 obeys the right padding rule. If we can use some techniques to find (CV 0, M 0 ) that satisfies P(CV 0, M 0 ) Q(M 0 ) CV 0 = CV 1, (4) then we find a pseudo second preimage of Grøstl. In the following, we will show how to find a (CV 0, M 0 ) that satisfies Eq. (4). As shown in Fig. 10, the attack turns into a two-phase MitM attack. With parameters y 1, y, y 3 and b, the attack process can be described as follows: Step 1: Find y1 1 b-bit partial preimages of P(H) H. We should store the y P(H)H and H in the lookup table L ps. Step : Find y the same b-bit partial preimages of Q(M 0 )M 0 as P(H) H in L ps. Check whether the remaining n-b bits are the same to CV 1. Once a full match is found, we find a (CV 0, M 0 ) such that it satisfies P(CV 0, M 0 ) Q(M 0 )CV 0 = CV 1. Then (CV 0, M 0, M 1 ) is a pseudo second preimage of Grøstl. Suppose that for Grøstl with n-bit state, it needs 3 C ( n, b) and 4 C ( n, b) computations to find a b-bit partial preimage of P(H) H and Q(M 0 )M 0, respectively. Fig. 10. Outline for our pseudo second preimage attack on Grøstl. Then we can calculate the complexity for each step of the attack algorithm. In Step 1, it takes 1 3 y C ( n, b) computations and y1 memory to build the lookup table L ps. In Step, it takes 4 y C ( n, b) computations to calculate y the given b-bit partial preimage of Q(M 0 ) M 0 and check whether the remaining n-b bits are the same to CV 1. y As a result, the overall complexity is 1C3( n, b) yc4( n, b), with memory requirement of 1 y y. Note that we need 1+ y- n 1 in order to find a full match.
15 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL Preimage Attack on P(H) H and Q(M 0 ) M 0 of Grøstl-56 The chunk separations for P(H) H and Q(M 0 ) M 0 are shown in Figs. 9 and 11, respectively. As shown in Fig. 9, the freedom degrees for the partial preimage attack on P(H) H are D r = 18 bits, D b = 18 bits. The sizes of the matching point are b = 8 bits and n = 56 bits. The cost to construct the complicated initial structure is C r = C b = 3 bits. We set d r = d b = b = 40 bits, then we can find 8 (= / 8 ) 8-bit partial preimages with a complexity of 8. The average complexity to compute an 8-bit partial preimage is 0 ( 8 / 8 ). So we can calculate the complexity of an 8-bit partial preimage C attack on P(H) H: 3 (51,8) = =. This means we just need - computation to get an 8-bit partial preimage on P(H) H. As shown in Fig. 11, it also takes - computation to get the same 8-bit partial preimage on Q(M 0 ) M 0 as P(H) H. If we choose y 1 = y = (518)/ = 5, the complexity to calculate the pair (CV 0, M 0 ) is = 51 and the memory is 5. Then we can find a pseudo second preimage of Grøstl-56. Since the guess-and-determine technique is not suitable for the b-bit partial preimage attack (when b is small), we cannot find a pseudo second preimage attack on 8-round Grøstl-51 whose complexity is better than the pseudo preimage attack on 8-round Grøstl-51. Fig. 11. Chunk separation of 6-round preimage attack on Q(M 0 ) M 0 of Grøstl CONCLUSION In this paper, we improved the pseudo preimage attack on 5-round Grøstl-56 hash function. In addition, we improved the pseudo preimage attack on 8-round Grøstl-51 hash function by combining the guess-and-determine technique with the MitM attack. At last we constructed a 6-round pseudo preimage attack and a 6-round pseudo second preimage attack on Grøstl-56 hash function by using a complicated initial structure. We found out that the guess-and-determine MitM attack was useful to solve the full preimage attack instead of the partial preimage attack. We should check whether the guessed bits were correct, which was not suitable to solve the partial preimage problem. Since the choices of numbers and positions for the guessed bits were too many, it seemed impossible to do an exhaustive search. So it remains to be an open problem to find the op-
16 1804 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG timal guess-and-determine strategy for Grøstl. If we could divide the attack process into several phases of MitM attack, we could use the subspace technique to improve the overall complexity. In our attack, it was hard to attack more rounds of Grøstl because the difference Shift- Row operations between P ( ) and Q ( ). These results showed that it was good to adopt difference ShiftRow operations between P ( ) and Q ( ). Our attacks do not threat any security claims of Grøstl. ACKNOWLEDGEMENT The authors would like to thank Lei Wang and Jian Guo for their inspiring suggestions. The authors would like to thank anonymous referees for their helpful comments and suggestions. This work is supported by the National Basic Research Program of China 973 Program (013CB33800), and the National Natural Science Foundation of China (617476, ). REFERENCES 1. K. Aoki, J. Guo, K. Matusiewicz, Y. Sasaki, and L. Wang, Preimages for step-reduced SHA-, in Proceedings of ASIACRYPT, LNCS, Vol. 591, 009, pp K. Aoki and Y. Sasaki, Preimage attacks on one-block MD4, 63-step MD5 and more, in Proceedings of the 15th International Workshop on Selected Areas in Cryptography, LNCS, Vol. 5381, 008, pp K. Aoki and Y. Sasaki, Meet-in-the-middle preimage attacks against reduced SHA- 0 and SHA-1, in Proceedings of CRYPTO, LNCS, Vol. 5677, 009, pp P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläffer, and S. S. Thomsen, Grøstl a SHA-3 candidate, Submission to NIST (Round 3), J. Guo, S. Ling, C. Rechberger, and H. X. Wang, Advanced meet-in-the-middle preimage attacks: First results on full tiger, and improved results on MD4 and SHA-, in Proceedings of ASIACRYPT, LNCS, Vol. 6477, 010, pp D. Khovratovich, Bicliques for permutations: Collision and preimage attacks in stronger settings, in Proceedings of ASIACRYPT, LNCS, Vol. 7658, 01, pp G. Leurent, MD4 is not one-way, in Proceedings of FSE, LNCS, Vol. 5086, 008, pp National Institute of Standards and Technology, Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family, Federal Register, 7(1):61-60, 007, documents/fr_notice_nov07.pdf. 9. Y. Sasaki, Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool, in Proceedings of FSE, LNCS, Vol. 6733, 011, pp Y. Sasaki and K. Aoki, Preimage attacks on 3, 4, and 5-pass HAVAL, in Pro-
17 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1805 ceedings of ASIACRYPT, LNCS, Vol. 5350, 008, pp Y. Sasaki and K. Aoki, Finding preimages in full MD5 faster than exhaustive search, in Proceedings of EUROCRYPT, LNCS, Vol. 5479, 009, pp Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, and K. Ohta, New non-ideal properties of AES-based permutations: Applications to ECHO and Grøstl, in Proceedings of ASIACRYPT, LNCS, Vol. 6477, 010, pp M. Schläffer, Updated differential analysis of Grøstl, Grøstl website, January D. Wagner, A Generalized Birthday Problem in Proceedings of CRYPTO, LNCS, Vol. 44, 00, pp L. Wang, Y. Sasaki, W. Komatsubara, K. Ohta, and K. Sakiyama, Preimage attacks on step-reduced RIPEMD/RIPEMD-18 with a new local-collision approach, in Proceedings of CT-RSA, LNCS, Vol. 6558, 011, pp S. Wu, D. G. Feng, W. L. Wu, J. Guo, L. Dong, and J. Zou, Preimage attack on round-reduced Grøstl hash function and others, in Proceedings of FSE, LNCS, Vol. 7549, 01, pp Jian Zou () is currently a Ph.D. student in Graduate School of Chinese Academy of Sciences and Institute of Software, Chinese Academy of Sciences. His current research area includes cryptanalysis on hash functions and block ciphers. Wen-Ling Wu () is now a Professor at the TCA, Institute of Software, Chinese Academy of Sciences. She received her B.S. and M.S. degrees in Mathematics from Northwest University in 1987 and 1990, respectively. She received her Ph.D. degree in Cryptography from Xidian University in Her current research interests include theory of cryptography, modes of operation, block ciphers and hash functions. Shuang Wu () is now a Lecturer at the TCA, Institute of Software, Chinese Academy of Sciences. He received his Ph.D. degree from Graduate School of Chinese Academy of Sciences and Institute of Software, Chinese Academy of Sciences in 011. His current research area includes provable security and cryptanalysis on hash functions and block ciphers.
18 1806 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG Le Dong () is currently a Ph.D. student in Graduate School of Chinese Academy of Sciences and Institute of Software, Chinese Academy of Sciences. His current research area includes cryptanalysis on hash functions and block ciphers.
Security Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationPreimage Analysis of the Maelstrom-0 Hash Function
Preimage Analysis of the Maelstrom-0 Hash Function Riham AlTawy and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montréal, Québec, Canada Abstract. Maelstrom-0
More informationThe Grindahl hash functions
The Grindahl hash functions Søren S. Thomsen joint work with Lars R. Knudsen Christian Rechberger Fast Software Encryption March 26 28, 2007 Luxembourg 1/ 17 1 Introduction 2 Grindahl 3 Design considerations
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationMeet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool
Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool Yu Sasaki NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midoricho, Musashino-shi, Tokyo
More informationIntroduction to Cryptology. Lecture 17
Introduction to Cryptology Lecture 17 Announcements HW7 due Thursday 4/7 Looking ahead: Practical constructions of CRHF Start Number Theory background Agenda Last time SPN (6.2) This time Feistel Networks
More informationThe SHA-3 Process. Keccak & SHA-3 day Brussels, 27 March 2013
The SHA-3 Process Keccak & SHA-3 day Brussels, 27 March 2013 Timeline 05 06 07 08 09 10 11 12 13 Summer 2005: Attacks on MD5, RIPEMD, SHA-0, SHA-1 The Wang effect Before 2005 MD4 (Dobbertin) MD5 (Boss.,
More informationPractical attacks on the Maelstrom-0 compression function
Practical attacks on the Maelstrom-0 compression function Stefan Kölbl, Florian Mendel Graz University of Technology, A-8010 Graz, Austria stefan.koelbl@student.tugraz.at Abstract. In this paper we present
More informationOn Optimized FPGA Implementations of the SHA-3 Candidate Grøstl
On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck Fachhochschule Wiesbaden University of Applied Sciences {jungk reith}@informatik.fh-wiesbaden.de
More informationGrøstl a SHA-3 candidate
Grøstl a SHA-3 candidate http://www.groestl.info Praveen Gauravaram 1, Lars R. Knudsen 1, Krystian Matusiewicz 1, Florian Mendel 2, Christian Rechberger 2, Martin Schläffer 2, and Søren S. Thomsen 1 1
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationCS-E4320 Cryptography and Data Security Lecture 5: Hash Functions
Lecture 5: Hash Functions Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Hash Functions Birthday Paradox Design of Hash Functions SHA-3
More informationUnderstanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009
Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 29 These slides were prepared by Daehyun Strobel, Christof
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationNarrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT
Narrow-Bicliques: Cryptanalysis of Full IDEA Dmitry Khovratovich, h Microsoft Research Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT Cryptanalysis 101 Differential attacks Linear
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationRecent Meet-in-the-Middle Attacks on Block Ciphers
ASK 2012 Nagoya, Japan Recent Meet-in-the-Middle Attacks on Block Ciphers Takanori Isobe Sony Corporation (Joint work with Kyoji Shibutani) Outline 1. Meet-in-the-Middle (MitM) attacks on Block ciphers
More informationDesign and Analysis of a New Hash Function Gear
Design and Analysis of a New Hash Function Gear Mohammad A. AlAhmad Public Authority for Applied Education and Training College of Basic Education Computer Science Department P.O.Box 34567 Adaliyah, 73205
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster) Author(s) Citation Wei, Lei; Rechberger,
More informationObservations and Attacks On The SHA-3 Candidate Blender
Observations and Attacks On The SHA-3 Candidate Blender Craig Newbold cjnewbold@googlemail.com Abstract 51 candidates have been accepted as first round candidates in NIST s SHA-3 competition, to decide
More informationAnalysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti, Magfirawaty
Information Systems International Conference (ISICO), 2 4 December 2013 Analysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti,
More informationBiclique Attack of the Full ARIA-256
Biclique Attack of the Full ARIA-256 Shao-zhen Chen Tian-min Xu Zhengzhou Information Science and Technology Institute Zhengzhou 450002, China January 8, 202 Abstract In this paper, combining the biclique
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 4 The Advanced Encryption Standard (AES) Israel Koren ECE597/697 Koren Part.4.1
More informationTruncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher
Truncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher Qianqian Yang 1,2,3, Lei Hu 1,2,, Siwei Sun 1,2, Ling Song 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationUpdate on Tiger. Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium
Update on Tiger Florian Mendel 1, Bart Preneel 2, Vincent Rijmen 1, Hirotaka Yoshida 3, and Dai Watanabe 3 1 Graz University of Technology Institute for Applied Information Processing and Communications
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5 January 23, 2012 CPSC 467b, Lecture 5 1/35 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationENHANCED AES ALGORITHM FOR STRONG ENCRYPTION
ENHANCED AES ALGORITHM FOR STRONG ENCRYPTION V. Sumathy & C. Navaneethan Assistant Professor, Department of CSE, Kingston Engineering College, Vellore, Tamil Nadu, India ABSTRACT In this paper we present
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informatione-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text Cryptography and Network Security Module 28- Hash Algorithms
More informationInternet Engineering Task Force (IETF) Request for Comments: 6194 Category: Informational. IECA P. Hoffman VPN Consortium March 2011
Internet Engineering Task Force (IETF) Request for Comments: 6194 Category: Informational ISSN: 2070-1721 T. Polk L. Chen NIST S. Turner IECA P. Hoffman VPN Consortium March 2011 Security Considerations
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationKeccak discussion. Soham Sadhu. January 9, 2012
Keccak discussion Soham Sadhu January 9, 2012 Keccak (pronounced like Ketchak ) is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak is
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5a January 29, 2013 CPSC 467b, Lecture 5a 1/37 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationAn Improved Algebraic Attack on Hamsi-256
An Improved Algebraic Attack on Hamsi-256 Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. Hamsi is one of the 14 second-stage candidates in
More informationBlock Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1
Block Ciphers Lucifer, DES, RC5, AES CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk Block Ciphers 1 ... Block Ciphers & S-P Networks Block Ciphers: Substitution ciphers
More informationProtection of the digital Holy Quran Using SAB hash function
Protection of the digital Holy Quran Using SAB hash function Mohammad A. Ahmad1,a, Dr. Imad Fakhri Alshaikhli1,b, 1 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationComputer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Hashes & Macs Aggelos Kiayias University of Connecticut What is a hash function? A way to produce the fingerprint of a file what are the required properties: 1. Efficiency.
More informationDesign of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures
Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures 1 Suresh Sharma, 2 T S B Sudarshan 1 Student, Computer Science & Engineering, IIT, Khragpur 2 Assistant
More informationArea Optimization in Masked Advanced Encryption Standard
IOSR Journal of Engineering (IOSRJEN) ISSN (e): 2250-3021, ISSN (p): 2278-8719 Vol. 04, Issue 06 (June. 2014), V1 PP 25-29 www.iosrjen.org Area Optimization in Masked Advanced Encryption Standard R.Vijayabhasker,
More informationImproved Attack on Full-round Grain-128
Improved Attack on Full-round Grain-128 Ximing Fu 1, and Xiaoyun Wang 1,2,3,4, and Jiazhe Chen 5, and Marc Stevens 6, and Xiaoyang Dong 2 1 Department of Computer Science and Technology, Tsinghua University,
More informationEnhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)
Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128) Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV) Technische Universität München (TUM) 80333 Munich Germany
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Friday, 17 April, 2015 09:59 10. Hash Function Cryptanalysis (v3) Cryptographic hash functions map messages of arbitrary size to a fixed size hash, e.g. a bitstring
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationBYTE SLICING GRØSTL Optimized Intel AES-NI and 8-bit Implementations of the SHA-3 Finalist Grøstl
BYTE SLICING GRØSTL Optimized Intel AES-NI and 8-bit Implementations of the SHA-3 Finalist Grøstl Kazumaro Aoki 1, Günther Roland 2, Yu Sasaki 1 and Martin Schläffer 2 1 NTT Corporation, Japan 2 IAIK,
More informationImproved Meet-in-the-Middle Attacks on AES-192 and PRINCE
Improved Meet-in-the-Middle Attacks on AES-92 and PRINCE Leibo Li,2, Keting Jia 2 and Xiaoyun Wang,2,3 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong
More informationSecurity Analysis of a Design Variant of Randomized Hashing
Security Analysis of a Design Variant of Randomized ashing Praveen Gauravaram 1, Shoichi irose 2, Douglas Stebila 3 1 Tata Consultancy Services, Australia 2 University of Fukui, Japan 3 McMaster University,
More informationAll Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach
All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationAES Advanced Encryption Standard
AES Advanced Encryption Standard AES is iterated block cipher that supports block sizes of 128-bits and key sizes of 128, 192, and 256 bits. The AES finalist candidate algorithms were MARS, RC6, Rijndael,
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationAdvanced Encryption Standard
Advanced Encryption Standard Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK) - Krypto Group Faculty of Computer Science Graz University of Technology Outline Modern
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationPermutation-based symmetric cryptography
Permutation-based symmetric cryptography Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March
More informationDFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.
DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The
More informationCryptanalysis on Hash Functions. Xiaoyun Wang Tsinghua University & Shandong University
Cryptanalysis on Hash Functions Xiaoyun Wang Tsinghua University & Shandong University 05-10-2006 Outline Introduction to hash function Hash function and signature Dedicated hash function Modular differential
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationCryptanalysis of Haraka
Cryptanalysis of Haraka Jérémy Jean Agence Nationale de la Sécurité des Systèmes d Information Crypto Laboratory FSE 2017 @ Tokyo, Japan March 6, 2017 Jeremy.Jean@ssi.gouv.fr Introduction Let n be a positive
More informationComp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today
Comp527 status items Crypto Protocols, part 2 Crypto primitives Today s talk includes slides from: Bart Preneel, Jonathan Millen, and Dan Wallach Install the smart card software Bring CDs back to Dan s
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationFinding Second Preimages of Short Messages for Hamsi-256
Finding Second Preimages of Short Messages for Hamsi-256 Thomas Fuhr ANSSI, Paris, France and TELECOM-ParisTech, Paris, France thomas.fuhr@ssi.gouv.fr Abstract. In this paper we study the second preimage
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 7 September 23, 2015 CPSC 467, Lecture 7 1/1 Advanced Encryption Standard AES Alternatives CPSC 467,
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationSecurity Enhancement of the Vortex Family of Hash Functions
Security Enhancement of the Vortex Family of Hash Functions Shay Gueron 1,2 and ichael Kounavis 3 1 obility Group, Intel Corporation 2 University of Haifa, Israel 3 Intel Labs, Circuits and Systems Research
More informationFirst practical results on reduced-round Keccak Unaligned rebound attack. María Naya-Plasencia INRIA Paris-Rocquencourt, France
First practical results on reduced-round Keccak Unaligned rebound attack María Naya-Plasencia INRIA Paris-Rocquencourt, France Outline Introduction First Practical Results [NP-Röck-Meier11] CP-Kernel:
More informationNew Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
New Key-Recovery Attacks on MAC/NMAC-MD4 and NMAC-MD5 Lei Wang, Kazuo Ohta and Noboru Kunihiro* The University o Electro-Communications * The University o Tokyo at present. 1 Motivation o This Research
More informationOn the Security of Stream Cipher CryptMT v3
On the Security of Stream Cipher CryptMT v3 Haina Zhang 1, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100,
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationVortex. A New Family of One-Way Hash Functions. Based on AES Rounds and Carry-less Multiplication. Intel Corporation, IL
Vortex A New Family of One-Way Hash Functions Based on AES Rounds and Carry-less Multiplication Shay Gueron Michael E. Kounavis Intel Corporation, IL Intel Corporation, US and University of Haifa, IL Information
More informationCryptanalysis of the Dedicated Hash Functions
Cryptanalysis of the Dedicated Hash Functions Ali Doğanaksoy, Onur Özen, Fatih Sulak, Kerem Varıcı, Emre Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey, {aldoks,
More informationDesign of block ciphers
Design of block ciphers Joan Daemen STMicroelectronics and Radboud University University of Zagreb Zagreb, Croatia, March 23, 2016 1 / 49 Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael
More informationRECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi-110054, India mktalyan@yahoo.com 1 ABSTRACT In this paper, we have
More informationA New hybrid method in watermarking using DCT and AES
International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 10, Issue 11 (November 2014), PP.64-69 A New hybrid method in watermarking using
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationSharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl
Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo,
More information