Differential Cryptanalysis of Hash Functions: How to find Collisions?

Size: px
Start display at page:

Download "Differential Cryptanalysis of Hash Functions: How to find Collisions?"

Transcription

1 Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria Albena 2011 Albena Hash Function Cryptanalysis I 1

2 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 2

3 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 3

4 Motivation Cryptanalysis of block ciphers: well understood Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers Attacks on MD-family by Wang et al. broke A-1 NIST A-3 competition to find a successor of A-1 to focus research on hash function cryptanalysis Albena Hash Function Cryptanalysis I 4

5 Cryptographic Hash Function h m h(m) Hash function h maps arbitrary length input m to n-bit output h(m) Collision Resistance (2 n/2 ) find m, m with m m and h(m) = h(m ) Second-Preimage Resistance (2 n ) given m, h(m) find m with m m and h(m) = h(m ) Preimage Resistance (2 n ) given h(m) find m Albena Hash Function Cryptanalysis I 5

6 Iterated Hash Function Construction M 1 M 2 M 3 M t IV w f w f w f f w g n H(m) Most hash functions use some kind of iteration compression function f output transformation g chaining value size w n Strength depends on f, g, w smaller w needs stronger f Also building blocks are analyzed Albena Hash Function Cryptanalysis I 6

7 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 7

8 Collision Attacks m m h h h(m) = h(m ) Find two different messages which result in the same hash value: m m with h(m) = h(m ) birthday effect applies: 2 n/2 Albena Hash Function Cryptanalysis I 8

9 Collision Attacks (Differential View) m = m 0 m h h h h(m) h(m ) = h(m) = 0 Find two different messages which result in the same hash m, m with m 0 and h(m) = 0 Usually XOR differences are used: m = m m and h(m) = h(m) h(m ) Albena Hash Function Cryptanalysis I 9

10 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 10

11 Differential Characteristic m 0? h how to find m, m? find differential characteristic (trail, path) determines m holds with high probability P if P > 2 n/2 : find colliding m by trying 1/P random messages with complexity < 2 n/2 h(m) = 0 Albena Hash Function Cryptanalysis I 11

12 Differential Characteristic m 0? h how to find m, m? find differential characteristic (trail, path) determines m holds with high probability P if P > 2 n/2 : find colliding m by trying 1/P random messages with complexity < 2 n/2 how to improve complexity of attack? h(m) = 0 how to find good differential characteristics? Albena Hash Function Cryptanalysis I 11

13 How to Improve Complexity of Attack? m 0 h Good characteristic for block ciphers: optimizes probability Good characteristic for hash functions optimizes probability minimizes effort to find m How to find m? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic h(m) = 0 Albena Hash Function Cryptanalysis I 12

14 How to Improve Complexity of Attack? m 0 h Good characteristic for block ciphers: optimizes probability Good characteristic for hash functions optimizes probability minimizes effort to find m How to find m? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic h(m) = 0 characteristic with lower probability at input to get higher probability towards end Albena Hash Function Cryptanalysis I 12

15 How to Find Good Differential Characteristics? block cipher based design: use characteristic of block cipher attack (also related key characteristics) by hand: MD4, MD5, A-1 (Wang et al.) (semi-) automatic tools: linearize hash function (coding tools) non-linear differential search by design: well known best characteristics Albena Hash Function Cryptanalysis I 13

16 Example: A-1 high probability in second part (L) linearize hash function [RO05] search for linear differential characteristic using low weight code search connect with IV in first part (NL) low probability search for non-linear characteristic [WYY05, DR06] message modification easy for first 16 steps (just invert equation) also possible for more steps ( 25) (advanced message modification) Albena Hash Function Cryptanalysis I 14

17 Finding Linear Characteristics Message expansion is linear Linearize modular addition by XOR no carry with probability 1/2 Linearize Boolean function by XOR holds with probability 1/2 Probabilities are given for single bit differences Albena Hash Function Cryptanalysis I 15

18 Finding Linear Characteristics Differences with low Hamming weight result in good probability Finding good linear characteristic corresponds to finding low-weight code word in linear code Good representation of hash function is important Open source tool to find low weight code words: krypto/codingtool/ Albena Hash Function Cryptanalysis I 16

19 Finding Non-Linear Characteristics [DR06] Using generalized conditions Albena Hash Function Cryptanalysis I 17

20 Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Albena Hash Function Cryptanalysis I 18

21 Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Albena Hash Function Cryptanalysis I 18

22 Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Albena Hash Function Cryptanalysis I 18

23 Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Find conforming message pair message mod. until step 25 probabilistic for further steps Albena Hash Function Cryptanalysis I 18

24 Message Modification To improve complexity of attack in first few steps up to 25 in the case of A-1 Many dedicated techniques have been published: advanced message modifications [WYY05] equation solving [SKPI07] neutral bits [BC04] boomerang/tunnels [JP07, Kli06] greedy approach [D07] Resulting theoretical complexity for A-1: 2 63 [WYY05] implementation overhead! Albena Hash Function Cryptanalysis I 19

25 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 20

26 The Rebound Attack [ST09] One more tool in the cryptanalysis of hash functions Invented during the cryptanalysis of Whirlpool and Grøstl AES-based designs allow a simple application of the idea Related work: truncated differentials inside-out techniques meet-in-the-middle techniques message modification... Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool,... Albena Hash Function Cryptanalysis I 21

27 The Rebound Attack E bw E in E fw outbound inbound outbound Applies to block-cipher and permutation based designs: E = E fw E in E bw Inbound phase efficient meet-in-the-middle phase in E in aided by available degrees of freedom Outbound phase probabilistic part in E bw and E fw repeat inbound phase if needed P = P fw P in P bw Albena Hash Function Cryptanalysis I 22

28 The Whirlpool Hash Function Designed by Barretto and Rijmen in 2000 [BR00] evaluated by NESSIE standardized by ISO/IEC :2003 Iterative hash function based on the Merkle-Damgård design principle message block, chaining values, hash size: 512 bit M 1 M 2 M 3 M t IV f f f f H(m) Albena Hash Function Cryptanalysis I 23

29 The Whirlpool Compression Function H j 1 key schedule M j state update H j 512-bit hash value and using 512-bit message blocks Block-cipher based design (AES) Miyaguchi-Preneel mode with conservative key schedule Albena Hash Function Cryptanalysis I 24

30 The Whirlpool Round Transformations The state update and the key schedule update an 8 8 state S and K of 64 bytes 10 rounds each AES like round transformation r i = SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + Albena Hash Function Cryptanalysis I 25

31 Collision Attack on Whirlpool H j 1 key schedule M j state update H j 1-block collision: fixed H j 1 (to IV ) f (M j, H j 1 ) = f (Mj, H j 1 ), M j Mj Albena Hash Function Cryptanalysis I 26

32 Collision Attack on Whirlpool H j 1 key schedule M j state update H j 1-block collision: fixed H j 1 (to IV ) f (M j, H j 1 ) = f (Mj, H j 1 ), M j Mj Albena Hash Function Cryptanalysis I 26

33 Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active S-boxes 81 for any 4-round trail ( ) maximum differential probability: (2 5 ) 81 = Albena Hash Function Cryptanalysis I 27

34 Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 constant S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active S-boxes 81 for any 4-round trail ( ) maximum differential probability: (2 5 ) 81 = Albena Hash Function Cryptanalysis I 27

35 Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 constant S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active S-boxes 81 for any 4-round trail ( ) maximum differential probability: (2 5 ) 81 = How to find a message pair following the differential trail? Albena Hash Function Cryptanalysis I 27

36 First: Use Truncated Differences S 0 S 1 S 2 S 3 S 4 M 1 H 1 byte-wise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2 56 for 8 1 we can remove many restrictions (more freedom) hopefully less complexity of message search Albena Hash Function Cryptanalysis I 28

37 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? Albena Hash Function Cryptanalysis I 29

38 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? Albena Hash Function Cryptanalysis I 29

39 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? meet in the middle? Albena Hash Function Cryptanalysis I 29

40 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? meet in the middle? rebound! Albena Hash Function Cryptanalysis I 29

41 Rebound Attack on 4 Rounds [ST09] S 0 S 1 S 2 S 3 S 4 M 1 H 1 outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward Albena Hash Function Cryptanalysis I 30

42 Inbound Phase S2 S 2 S3 S3 3a c0 e6 b9 5a 8c 08 c0 get values (1) Start with arbitrary differences in state S 3 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

43 Inbound Phase S2 S 2 S3 S3 e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

44 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences get values differences (1) Start with arbitrary differences in state S3 linearly propagate all differences backward to S3 linearly propagate row-wise forward from S2 to S 2 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

45 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6? a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2 xx we get 2 xx solutions for each row we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

46 Difference Distribution Table (Whirlpool) in \ out a 1b 1c 1d 1e 1f a b c d e f Albena Hash Function Cryptanalysis I 32

47 Match-in-the-Middle for Single S-box a Sbox b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox(x) Sbox(x a) = b Solve equation for all x and count the number of solutions: 25880/65025 entries (with a, b 0) in DDT are nonzero match with probability we get either 2, 4, 6 or 8 values values for possible differentials values (right pairs) on average Albena Hash Function Cryptanalysis I 33

48 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6? a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) Albena Hash Function Cryptanalysis I 34

49 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability we get solutions for each row Albena Hash Function Cryptanalysis I 34

50 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability we get solutions for each row we get right pairs with complexity < 2 16 Albena Hash Function Cryptanalysis I 34

51 Outbound Phase S 0 S 1 S 2 S 3 S 4 outbound inbound 2 56 average 1 outbound 2 56 (3) Propagate through MixRows of round 1 and round 4 using truncated differences (active bytes: 8 1) probability: 2 56 in each direction (4) Match difference in one active byte of feed-forward (2 8 ) collision for 4 rounds of Whirlpool with complexity Albena Hash Function Cryptanalysis I 35

52 Extending the Attack to 5 Rounds [L + 09] S 0 S 1 S 2 S 3 S 4 S 5 outbound 2 56 inbound average 1 outbound 2 56 By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds The outbound phase is identical to the attack on 4 rounds probability: Construct starting points in the inbound phase with average complexity 1 Albena Hash Function Cryptanalysis I 36

53 Inbound Phase ee match S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 differences (1) Start with arbitrary differences in state S 3 and S 3 (2) Match-in-the-middle at SuperBox ( ) similar to 64-bit S-box (DDT has size ) Albena Hash Function Cryptanalysis I 37

54 Inbound Phase ee match S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 values/differences 2 64 differences (1) Start with arbitrary differences in state S3 and S3 we need to propagate all 2 64 differences backward at once (2) Match-in-the-middle at SuperBox ( ) similar to 64-bit S-box (DDT has size ) time-memory trade-off with time/memory 2 64 Albena Hash Function Cryptanalysis I 37

55 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 values/differences 2 64 differences (1) Start with arbitrary differences in state S3 and S3 we need to propagate all 2 64 differences backward at once (2) Match-in-the-middle at SuperBox ( ) similar to 64-bit S-box (DDT has size ) time-memory trade-off with time/memory 2 64 with complexity 2 64 we get at least 2 64 pairs Albena Hash Function Cryptanalysis I 37

56 From Collisions to Near-Collisions S 0 S 1 S 2 S 3 S 4 S 5 S 6 S average Add one round at input and output no additional complexity MixRows: 1 8 with probability 1 Near-collision attack for 7 rounds time complexity and 2 64 memory Albena Hash Function Cryptanalysis I 38

57 Compression Function Attacks H j 1 key schedule M j state update H j We can freely choose the chaining input H j 1 no differences in H j 1 semi-free-start (near-) collisions Extend previous attacks by 2 rounds using multiple inbound phases Outbound phases of attacks stay the same Albena Hash Function Cryptanalysis I 39

58 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40

59 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40

60 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase 2nd inbound phase Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40

61 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512-bit freedom of key input (S 3 = S 2 K 3 ) Albena Hash Function Cryptanalysis I 40

62 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512-bit freedom of key input (S 3 = S 2 K 3 ) A bit more tricky than that (3 key inputs involved) connect rows independently find 2 64 solutions with complexity Albena Hash Function Cryptanalysis I 40

63 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512-bit freedom of key input (S 3 = S 2 K 3 ) A bit more tricky than that (3 key inputs involved) connect rows independently find 2 64 solutions with complexity Collision on 7 and near-collision on 9 rounds Albena Hash Function Cryptanalysis I 40

64 Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash s 2 s collision function s 2 s near-collision 7 2 compression 2 64 collision 9 2 function 2 64 near-collision Albena Hash Function Cryptanalysis I 41

65 Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash s 2 s collision function s 2 s near-collision compression 2 64 collision function 2 64 near-collision Albena Hash Function Cryptanalysis I 41

66 Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash s 2 s collision function s 2 s near-collision compression 2 64 collision function 2 64 near-collision distinguisher Albena Hash Function Cryptanalysis I 41

67 Open Problems H j 1 key schedule M j state update H j Using differences also in the chaining input Combination of: related-key attacks on block ciphers local collisions rebound attack Albena Hash Function Cryptanalysis I 42

68 The A-3 Candidate Grøstl [GKM + 11] M i Q H i 1 P H i A-3 finalist AES-based hash function Permutation based design Designed by DTU (Denmark) and TU Graz (Austria) Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen Albena Hash Function Cryptanalysis I 43

69 Permutations P and Q of Grøstl Q: AddRoundConstant ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fieidicibiai9i8i SubBytes S ShiftRows MixColumns P: 0i1i2i3i4i5i6i7i S AES like round transformations 8 8 state and 10 rounds for Grøstl state and 14 rounds for Grøstl-512 Based on design principles of AES not using AES as a direct building block better diffusion, wider trails Albena Hash Function Cryptanalysis I 44

70 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, well-known how to find right pairs? Albena Hash Function Cryptanalysis I 45

71 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, well-known how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox time-memory trade-offs Albena Hash Function Cryptanalysis I 45

72 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, well-known how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox time-memory trade-offs 3) Outbound phase high probability for sparse paths Albena Hash Function Cryptanalysis I 45

73 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, well-known how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox time-memory trade-offs 3) Outbound phase high probability for sparse paths find solutions with complexity and 2 64 memory Albena Hash Function Cryptanalysis I 45

74 Relatively Simple Analysis of Grøstl M 1 Q 0 Q 1 Q 2 Q 3 average IV P 0 P 1 P 2 P 3 H 1 Easy to construct truncated differential paths optimal use of available freedom (message) Results for Grøstl-256, Grøstl-512 hash function collisions for 3 rounds (of 10,14) compression function collisions for 6 rounds (of 10,14) Albena Hash Function Cryptanalysis I 46

75 Summary for Rebound Attack on Grøstl Lots of cryptanalysis (mostly on Grøstl-0) [MPRS09, Pey10, SLW + 10, ST09, ST10, ITP10] No multiple inbound phases possible No key-schedule input (no related-key attacks) Provable resistance against standard differential attacks Using (powerful) truncated differentials still only 3 out of 10 rounds can be attacked Albena Hash Function Cryptanalysis I 47

76 Summary of Rebound Attacks Basic principle not that difficult efficient inbound phase probabilistic outbound phase Difficulty in constructing and merging inbound phases finding good and sparse truncated differential paths efficient way to use available freedom for merge Albena Hash Function Cryptanalysis I 48

77 Other Rebound Attacks ECHO: big state but rather sparse truncated differential paths JH: 4-bit S-boxes, multiple inbound phases Lane: 2x inbound for Lane-256, 3x inbound for LANE-512 Luffa: 4-bit S-boxes, find differential path first, then values Skein: rotational rebound attack Albena Hash Function Cryptanalysis I 49

78 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 50

79 More Freedom in Attacking Hash Functions... than in attacks on block ciphers AES-based designs (Whirlpool Grøstl): 3 rounds in the middle with (average) complexity rounds at the beginning ARX-based designs (A-1): up to 25 steps at the beginning with message modification Albena Hash Function Cryptanalysis I 51

80 Conclusion Differential cryptanalysis powerful tool in analyzing hash functions many hash functions broken using DC sparse (truncated) differential characteristics needed AES based designs: best truncated differential path can be used (with small modifications) rebound attack to find differences and values simultaneously ARX based designs: unknown if good characteristics exist (semi-)automatic tools needed (linear,nonlinear) still some work to do for ARX based A-3 finalists Albena Hash Function Cryptanalysis I 52

81 Thank you for your Attention! Questions? Albena Hash Function Cryptanalysis I 53

82 References I [BC04] [BR00] [D07] Eli Biham and Rafi Chen. Near-Collisions of A-0. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of LNCS, pages Springer, Paulo S. L. M. Barreto and Vincent Rijmen. The WHIRLPOOL Hashing Function. Submitted to NESSIE, September 2000, revised May 2003, Available online: Christophe De Cannière, Florian Mendel, and Christian Rechberger. Collisions for 70-Step A-1: On the Full Cost of Collision Search. In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, Selected Areas in Cryptography, volume 4876 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 54

83 References II [DR06] [GKM + 11] [ITP10] Christophe De Cannière and Christian Rechberger. Finding A-1 Characteristics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors, ASIRYPT, volume 4284 of LNCS, pages Springer, Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl a A-3 candidate. Submission to NIST (Round 3), January Available online: Round3/submissions_rnd3.html. Kota Ideguchi, Elmar Tischhauser, and Bart Preneel. Improved Collision Attacks on the Reduced-Round Grøstl Hash Function. In Mike Burmester, Gene Tsudik, Spyros S. Magliveras, and Ivana Ilic, editors, I, volume 6531 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 55

84 References III [JF11] [JP07] [Kli06] Jérémy Jean and Pierre-Alain Fouque. Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function. In Fast Software Encryption, To appear. Antoine Joux and Thomas Peyrin. Hash Functions and the (Amplified) Boomerang Attack. In Alfred Menezes, editor, CRYPTO, volume 4622 of LNCS, pages Springer, Vlastimil Klima. Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology eprint Archive, Report 2006/105, Albena Hash Function Cryptanalysis I 56

85 References IV [KNPRS10] [L + 09] Dmitry Khovratovich, María Naya-Plasencia, Andrea Röck, and Martin Schläffer. Cryptanalysis of Luffa v2 Components. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages Springer, Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schläffer. Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In Mitsuru Matsui, editor, ASIRYPT, volume 5912 of LNCS, pages Springer, [MNPN + 09] Krystian Matusiewicz, María Naya-Plasencia, Ivica Nikolić, Yu Sasaki, and Martin Schläffer. Rebound Attack on the Full Lane Compression Function. In Mitsuru Matsui, editor, ASIRYPT, volume 5912 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 57

86 References V [MPRS09] [S09] Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schläffer. Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages Springer, Florian Mendel, Christian Rechberger, and Martin Schläffer. Cryptanalysis of Twister. In Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and Damien Vergnaud, editors, NS, volume 5536 of LNCS, pages , [ST09] Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 58

Grøstl a SHA-3 candidate

Grøstl a SHA-3 candidate Grøstl a SHA-3 candidate Krystian Matusiewicz Wroclaw University of Technology CECC 2010, June 12, 2010 Krystian Matusiewicz Grøstl a SHA-3 candidate 1/ 26 Talk outline Cryptographic hash functions NIST

More information

Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512

Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512 Preimage Attacks on 4-Step SHA-256 and 46-Step SHA-52 Yu Sasaki, Lei Wang 2, and Kazumaro Aoki NTT Information Sharing Platform Laboratories, NTT Corporation 3-9- Midori-cho, Musashino-shi, Tokyo, 8-8585

More information

Tools in Cryptanalysis of Hash Functions

Tools in Cryptanalysis of Hash Functions Tools in Cryptanalysis of Hash Functions Application to SHA-256 Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010

More information

Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions

Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions Florian Mendel, Tomislav Nad, and Martin Schläffer IAIK, Graz University of Technology, Austria tomislav.nad@iaik.tugraz.at

More information

Hash Function JH and the NIST SHA3 Hash Competition

Hash Function JH and the NIST SHA3 Hash Competition Hash Function JH and the NIST SHA3 Hash Competition Hongjun Wu Nanyang Technological University Presented at ACNS 2012 1 Introduction to Hash Function Hash Function Design Basics Hash function JH Design

More information

Randomly Failed! The State of Randomness in Current Java Implementations

Randomly Failed! The State of Randomness in Current Java Implementations Randomly Failed! The State of Randomness in Current Java Implementations Kai Michaelis, Chris Meyer, Jörg Schwenk Horst Görtz Institute for IT-Security (HGI) Chair for Network and Data Security Ruhr-University

More information

The Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) Conception - Why A New Cipher? Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow

More information

Chapter 1 On the Secure Hash Algorithm family

Chapter 1 On the Secure Hash Algorithm family Chapter 1 On the Secure Hash Algorithm family Written by Wouter Penard, Tim van Werkhoven. 1.1 Introduction This report is on the Secure Hash Algorithm family, better known as the SHA hash functions. We

More information

The 128-bit Blockcipher CLEFIA Design Rationale

The 128-bit Blockcipher CLEFIA Design Rationale The 128-bit Blockcipher CLEFIA Design Rationale Revision 1.0 June 1, 2007 Sony Corporation NOTICE THIS DOCUMENT IS PROVIDED AS IS, WITH NO WARRANTIES WHATSOVER, INCLUDING ANY WARRANTY OF MERCHANTABIL-

More information

The Advanced Encryption Standard: Four Years On

The Advanced Encryption Standard: Four Years On The Advanced Encryption Standard: Four Years On Matt Robshaw Reader in Information Security Information Security Group Royal Holloway University of London September 21, 2004 The State of the AES 1 The

More information

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

More information

Permutation-based encryption, authentication and authenticated encryption

Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract.

More information

Related-Key Rectangle Attack of the Full HAS-160 in Encryption Mode

Related-Key Rectangle Attack of the Full HAS-160 in Encryption Mode Related-Key Rectangle Attack of the Full HAS-160 in Encryption Mode Orr Dunkelman 1, Ewan Fleischmann 2, Michael Gorski 2, and Stefan Lucks 2 1 Ecole Normale Superieure, France OrrDunkelman@ensfr 2 Bauhaus-University

More information

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key Julia Juremi Ramlan Mahmod Salasiah Sulaiman Jazrin Ramli Faculty of Computer Science and Information Technology, Universiti Putra

More information

An Efficient Cryptographic Hash Algorithm (BSA)

An Efficient Cryptographic Hash Algorithm (BSA) An Efficient Cryptographic Hash Algorithm (BSA) Subhabrata Mukherjee 1, Bimal Roy 2, Anirban Laha 1 1 Dept of CSE, Jadavpur University, Calcutta 700 032, India 2 Indian Statistical Institute, Calcutta

More information

The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition

The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition Bart Preneel Katholieke Universiteit Leuven and IBBT Dept. Electrical Engineering-ESAT/COSIC, Kasteelpark Arenberg 10 Bus

More information

Block Ciphers that are Easier to Mask: How Far Can we Go?

Block Ciphers that are Easier to Mask: How Far Can we Go? Block Ciphers that are Easier to Mask: How Far Can we Go? Benoît Gérard 1,2, Vincent Grosso 1, María Naya-Plasencia 3, François-Xavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain,

More information

Lecture 4 Data Encryption Standard (DES)

Lecture 4 Data Encryption Standard (DES) Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

More information

How to Break MD5 and Other Hash Functions

How to Break MD5 and Other Hash Functions How to Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu Shandong University, Jinan 250100, China xywang@sdu.edu.cn yhb@mail.sdu.edu.cn Abstract. MD5 is one of the most widely used cryptographic

More information

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction

More information

Hash Function of Finalist SHA-3: Analysis Study

Hash Function of Finalist SHA-3: Analysis Study International Journal of Advanced Computer Science and Information Technology (IJACSIT) Vol. 2, No. 2, April 2013, Page: 1-12, ISSN: 2296-1739 Helvetic Editions LTD, Switzerland www.elvedit.com Hash Function

More information

Cryptanalysis of Dynamic SHA(2)

Cryptanalysis of Dynamic SHA(2) Cryptanalysis of Dynamic SHA(2) Jean-Philippe Aumasson 1,, Orr Dunkelman 2,, Sebastiaan Indesteege 3,4,, and Bart Preneel 3,4 1 FHNW, Windisch, Switzerland. 2 École Normale Supérieure, INRIA, CNRS, Paris,

More information

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

SHA3 WHERE WE VE BEEN WHERE WE RE GOING SHA3 WHERE WE VE BEEN WHERE WE RE GOING Bill Burr May 1, 2013 updated version of John Kelsey s RSA2013 presentation Overview of Talk Where We ve Been: Ancient history 2004 The Competition Where We re Going

More information

Length extension attack on narrow-pipe SHA-3 candidates

Length extension attack on narrow-pipe SHA-3 candidates Length extension attack on narrow-pipe SHA-3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no

More information

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We

More information

LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations

LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1, Gaëtan Leurent 1,2, François-Xavier Standaert 1, Kerem Varici 1 1 ICTEAM/ELEN/Crypto Group, Université catholique

More information

Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation

Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation Specification of Cryptographic Technique PC-MAC-AS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................

More information

On the Influence of the Algebraic Degree of the Algebraic Degree of

On the Influence of the Algebraic Degree of the Algebraic Degree of IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 59, NO. 1, JANUARY 2013 691 On the Influence of the Algebraic Degree of the Algebraic Degree of Christina Boura and Anne Canteaut on Abstract We present a

More information

The Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES

More information

Split Based Encryption in Secure File Transfer

Split Based Encryption in Secure File Transfer Split Based Encryption in Secure File Transfer Parul Rathor, Rohit Sehgal Assistant Professor, Dept. of CSE, IET, Nagpur University, India Assistant Professor, Dept. of CSE, IET, Alwar, Rajasthan Technical

More information

SeChat: An AES Encrypted Chat

SeChat: An AES Encrypted Chat Name: Luis Miguel Cortés Peña GTID: 901 67 6476 GTG: gtg683t SeChat: An AES Encrypted Chat Abstract With the advancement in computer technology, it is now possible to break DES 56 bit key in a meaningful

More information

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

More information

CS549: Cryptography and Network Security

CS549: Cryptography and Network Security CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared

More information

Cryptography and Network Security Chapter 11

Cryptography and Network Security Chapter 11 Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 11 Cryptographic Hash Functions Each of the messages, like each

More information

Secret File Sharing Techniques using AES algorithm. C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002

Secret File Sharing Techniques using AES algorithm. C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002 Secret File Sharing Techniques using AES algorithm C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002 1. Feature Overview The Advanced Encryption Standard (AES) feature adds support

More information

EnCounter: On Breaking the Nonce Barrier

EnCounter: On Breaking the Nonce Barrier EnCounter: On Breaking the Nonce Barrier in Differential Fault Analysis with a Case-Study on PAEQ Dhiman Saha, Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering,

More information

Ascon. Ch. Dobraunig 1, M. Eichlseder 1, F. Mendel 1, M. Schläffer 2. 22nd Crypto Day, Infineon, Munich. (A Submission to CAESAR)

Ascon. Ch. Dobraunig 1, M. Eichlseder 1, F. Mendel 1, M. Schläffer 2. 22nd Crypto Day, Infineon, Munich. (A Submission to CAESAR) Ascon (A Submission to CAESAR) Ch. Dobraunig 1, M. Eichlseder 1, F. Mendel 1, M. Schläffer 2 1 IAIK, Graz University of Technology, Austria 2 Infineon Technologies AG, Austria 22nd Crypto Day, Infineon,

More information

A New 128-bit Key Stream Cipher LEX

A New 128-bit Key Stream Cipher LEX A New 128-it Key Stream Cipher LEX Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenerg 10, B 3001 Heverlee, Belgium http://www.esat.kuleuven.ac.e/~airyuko/ Astract.

More information

1 Data Encryption Algorithm

1 Data Encryption Algorithm Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been

More information

On the Impact of Known-Key Attacks on Hash Functions

On the Impact of Known-Key Attacks on Hash Functions On the Impact of Known-Key Attacs on Hash Functions Bart Mennin and Bart Preneel Dept Electrical Engineering, ESAT/COSIC, KU Leuven, and iminds, Belgium bartmennin@esatuleuvenbe, bartpreneel@esatuleuvenbe

More information

Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering

Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering Joo Yeon Cho and Josef Pieprzyk Center for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University,

More information

Differential Cryptanalysis of PUFFIN and PUFFIN.

Differential Cryptanalysis of PUFFIN and PUFFIN. Differential Cryptanalysis of PUFFIN and PUFFIN2 Céline Blondeau 1 and Benoît Gérard 2 1 Aalto University School of Science, Department of Information and Computer Science 2 Université catholique de Louvain,

More information

A Secure Software Implementation of Nonlinear Advanced Encryption Standard

A Secure Software Implementation of Nonlinear Advanced Encryption Standard IOSR Journal of VLSI and Signal Processing (IOSR-JVSP) ISSN: 2319 4200, ISBN No. : 2319 4197 Volume 1, Issue 5 (Jan. - Feb 2013), PP 44-48 A Secure Software Implementation of Nonlinear Advanced Encryption

More information

Unknown Plaintext Template Attacks

Unknown Plaintext Template Attacks Unknown Plaintext Template Attacks Neil Hanley, Michael Tunstall 2, and William P. Marnane Department of Electrical and Electronic Engineering, University College Cork, Ireland. neilh@eleceng.ucc.ie, l.marnane@ucc.ie

More information

CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction

More information

Application of cube attack to block and stream ciphers

Application of cube attack to block and stream ciphers Application of cube attack to block and stream ciphers Janusz Szmidt joint work with Piotr Mroczkowski Military University of Technology Military Telecommunication Institute Poland 23 czerwca 2009 1. Papers

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards

More information

Message Authentication

Message Authentication Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

More information

Self-evaluation Report PC-MAC-AES. NEC Corporation

Self-evaluation Report PC-MAC-AES. NEC Corporation Self-evaluation Report PC-MAC-AES NEC Corporation Contents 1 Contents 1 Overview 2 2 Summary of Security Evaluation 2 3 Security Evaluation 3 3.1 Preliminaries...........................................

More information

A NEW HASH ALGORITHM: Khichidi-1

A NEW HASH ALGORITHM: Khichidi-1 A NEW HASH ALGORITHM: Khichidi-1 Abstract This is a technical document describing a new hash algorithm called Khichidi-1 and has been written in response to a Hash competition (SHA-3) called by National

More information

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1) Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES)

More information

On Collisions for MD5

On Collisions for MD5 Eindhoven University of Technology Department of Mathematics and Computing Science MASTER S THESIS On Collisions for MD5 By M.M.J. Stevens Supervisor: Prof. dr. ir. H.C.A. van Tilborg Advisors: Dr. B.M.M.

More information

SD12 REPLACES: N19780

SD12 REPLACES: N19780 ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing

More information

Authentication requirement Authentication function MAC Hash function Security of

Authentication requirement Authentication function MAC Hash function Security of UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

More information

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch 1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

More information

Cryptography and Network Security Block Cipher

Cryptography and Network Security Block Cipher Cryptography and Network Security Block Cipher Xiang-Yang Li Modern Private Key Ciphers Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors

More information

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs Cryptanalysis of Grain using Time / Memory / Data Tradeoffs v1.0 / 2008-02-25 T.E. Bjørstad The Selmer Center, Department of Informatics, University of Bergen, Pb. 7800, N-5020 Bergen, Norway. Email :

More information

Comparison of seven SHA-3 candidates software implementations on smart cards.

Comparison of seven SHA-3 candidates software implementations on smart cards. Comparison of seven SHA-3 candidates software implementations on smart cards. Mourad Gouicem Oberthur Technologies Contact : {g.piret, e.prouff}@oberthur.com October 2010 Abstract In this work, we present

More information

Introduction to SHA-3 and Keccak

Introduction to SHA-3 and Keccak Introduction to SHA-3 and Keccak Joan Daemen STMicroelectronics and Radboud University Crypto summer school 2015 Šibenik, Croatia, May 31 - June 5, 2015 1 / 45 Outline 1 The SHA-3 competition 2 The sponge

More information

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Jorge Nakahara Jr 1, Pouyan Sepehrdad 1, Bingsheng Zhang 2, Meiqin Wang 3 1 EPFL, Lausanne, Switzerland 2 Cybernetica AS, Estonia and

More information

SFLASH v3, a fast asymmetric signature scheme

SFLASH v3, a fast asymmetric signature scheme SFLASH v3, a fast asymmetric signature scheme Specification of SFLASH, version 3.0., 17 October 2003 The authors still recommend SFLASH-v2, see below. Nicolas T. Courtois 1, Louis Goubin 1 and Jacques

More information

BPS: a Format-Preserving Encryption Proposal

BPS: a Format-Preserving Encryption Proposal BPS: a Format-Preserving Encryption Proposal Eric Brier, Thomas Peyrin and Jacques Stern Ingenico, France {forenare.nare}@ingenico.cor Abstract. In recent months, attacks on servers of payment processors

More information

Network Security - ISA 656 Introduction to Cryptography

Network Security - ISA 656 Introduction to Cryptography Network Security - ISA 656 Angelos Stavrou September 18, 2007 Codes vs. K = {0, 1} l P = {0, 1} m C = {0, 1} n, C C E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard

More information

The SHAvite-3 Hash Function

The SHAvite-3 Hash Function The SHAvite-3 Hash Function Tweaked Version 23.11.2009 Eli Biham 1, and Orr Dunkelman 2,3 1 Computer Science Department, Technion Haifa 32000, Israel biham@cs.technion.ac.il 2 École Normale Supérieure

More information

The Stream Cipher HC-128

The Stream Cipher HC-128 The Stream Cipher HC-128 Hongjun Wu Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun@esat.kuleuven.be Statement 1. HC-128 supports 128-bit

More information

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,

More information

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR William Stallings Copyright 20010 H.1 THE ORIGINS OF AES...2 H.2 AES EVALUATION...3 Supplement to Cryptography and Network Security, Fifth Edition

More information

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT Onur Özen1, Kerem Varıcı 2, Cihangir Tezcan 3, and Çelebi Kocair 4 1 EPFL IC LACAL Station 14. CH-1015 Lausanne, Switzerland

More information

Elliptic Curve Hash (and Sign)

Elliptic Curve Hash (and Sign) Elliptic Curve Hash (and Sign) (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 22-24 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43

More information

Multi-Layered Cryptographic Processor for Network Security

Multi-Layered Cryptographic Processor for Network Security International Journal of Scientific and Research Publications, Volume 2, Issue 10, October 2012 1 Multi-Layered Cryptographic Processor for Network Security Pushp Lata *, V. Anitha ** * M.tech Student,

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

What output size resists collisions in a xor of independent expansions?

What output size resists collisions in a xor of independent expansions? What output size resists collisions in a xor of independent expansions? Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (MC 249) University of Illinois at Chicago, Chicago,

More information

Network Security. Omer Rana

Network Security. Omer Rana Network Security Omer Rana CM0255 Material from: Cryptography Components Sender Receiver Plaintext Encryption Ciphertext Decryption Plaintext Encryption algorithm: Plaintext Ciphertext Cipher: encryption

More information

Active Domain Expansion for Narrow-pipe Hash

Active Domain Expansion for Narrow-pipe Hash Active Domain Expansion for Narrow-pipe Hash Xigen Yao Wuxi Hengqi Electromechanical Device Co.Ltd.China email : dihuo377@163.com November 30, 2012 Abstract. In this article, we give an approach to the

More information

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Chapter 11 Message Authentication and Hash Functions At cats' green on the Sunday he took the message from the inside of

More information

Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

More information

Research Article. ISSN 2347-9523 (Print) *Corresponding author Shi-hai Zhu Email:

Research Article. ISSN 2347-9523 (Print) *Corresponding author Shi-hai Zhu Email: Scholars Journal of Engineering and Technology (SJET) Sch. J. Eng. Tech., 2014; 2(3A):352-357 Scholars Academic and Scientific Publisher (An International Publisher for Academic and Scientific Resources)

More information

KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard

KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard Dr. Gavekort c/o Vakiopaine Bar Kauppakatu 6, 41 Jyväskylä FINLAND mjos@iki.fi Abstract. We have discovered that the

More information

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms. A Comparative Study Of Two Symmetric Algorithms Across Different Platforms. Dr. S.A.M Rizvi 1,Dr. Syed Zeeshan Hussain 2 and Neeta Wadhwa 3 Deptt. of Computer Science, Jamia Millia Islamia, New Delhi,

More information

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

More information

Design of a New Stream Cipher LEX

Design of a New Stream Cipher LEX Design of a New Stream Cipher LEX Alex Biryukov University of Luxemourg, FSTC, 6, rue Richard Coudenhove-Kalergi, L-1359 Luxemourg-Kircherg Luxemourg Astract. In this paper we define a notion of leak extraction

More information

Second Preimages on n-bit Hash Functions for Much Less than 2 n Work

Second Preimages on n-bit Hash Functions for Much Less than 2 n Work Second Preimages on n-bit Hash Functions for Much Less than 2 n Work John Kelsey 1 and Bruce Schneier 2 1 National Institute of Standards and Technology, john.kelsey@nist.gov 2 Counterpane Internet Security,

More information

K 2r+8 PHT <<<1 MDS MDS

K 2r+8 PHT <<<1 MDS MDS )*.1,(/-+032 THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS 034- TECHNICAL REPORT OF IEICE. 7865'9 Twosh ;? @A 3 B&C y 3 NTT FRUX_a[\]Ye`khE f 239-0847 Gnql #Hw~ ˆ g 1-1

More information

Enhancing the Integrity of Short Message Service (SMS) in New Generation Mobile Devices

Enhancing the Integrity of Short Message Service (SMS) in New Generation Mobile Devices www.ijcsi.org 282 Enhancing the Integrity of Short Message Service (SMS) in New Generation Mobile Devices Ramesh Yegireddi 1, Surya Pavan Kumar Gudla 2 Kiran Kumar Reddi 3 and Naresh Tangudu 4 1 CSE Department,

More information

Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement

Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement Bartosz Zoltak www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. We found a statistical weakness in the Spritz algorithm

More information

Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3 Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon

More information

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

More information

On the Key Schedule Strength of PRESENT

On the Key Schedule Strength of PRESENT On the Key Schedule Strength of PRESENT Julio Cesar Hernandez-Castro 1, Pedro Peris-Lopez 2 Jean-Philippe Aumasson 3 1 School of Computing, Portsmouth University, UK 2 Information Security & Privacy Lab,

More information

Cube Attacks on Tweakable Black Box Polynomials

Cube Attacks on Tweakable Black Box Polynomials Cube Attacks on Tweakable Black Box Polynomials Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehobot 76100, Israel Abstract. Almost any cryptographic scheme can be described

More information

Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8. Digital signatures, hash functions Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

More information

9 Digital Signatures: Definition and First Constructions. Hashing.

9 Digital Signatures: Definition and First Constructions. Hashing. Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

More information

A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION

A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION Auday H. Al-Wattar 1, Ramlan Mahmod 2, Zuriati Ahmad Zukarnain3, and Nur Izura Udzir4, 1 Faculty of Computer Science and Information

More information

Serpent: A Proposal for the Advanced Encryption Standard

Serpent: A Proposal for the Advanced Encryption Standard Serpent: A Proposal for the Advanced Encryption Standard Ross Anderson 1 Eli Biham 2 Lars Knudsen 3 1 Cambridge University, England; email rja14@cl.cam.ac.uk 2 Technion, Haifa, Israel; email biham@cs.technion.ac.il

More information