DOCSLIB.ORG

Cryptography and Computer Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

CSCE 477/877: Cryptography and Computer Security Dr. Chris Bourke Department of Computer Science & Engineering University of Nebraska|Lincoln Lincoln, NE 68588, USA http://cse.unl.edu/~cbourke [email protected] 2015/02/10 11:14:38 Contents 1. Introduction5 1.1. Administrivia.................................5 1.2. What is Security?...............................5 1.3. Alphabet Soup................................6 I. Classical Ciphers & Cryptanalysis8 2. Classical Ciphers8 2.1. Basic Definitions...............................8 2.2. Basic Algebra.................................9 2.2.1. Algebraic Structures......................... 10 2.2.2. Finding Inverses: Euclid's Algorithm................ 13 2.3. Substitution Cipher.............................. 15 2.4. Affine Cipher................................. 15 2.5. Permutation Cipher.............................. 16 2.6. Hill Cipher................................... 16 2.6.1. Computing matrix inverses over Zm ................. 17 2.7. Others..................................... 19 2.8. Cryptanalysis................................. 19 2.8.1. Frequency Analysis.......................... 20 2.8.2. Incidence of Coincidence....................... 20 1 2.9. \Perfect" Cryptography & The One-time Pad............... 22 2.9.1. A discussion on Randomness..................... 24 2.10. Entropy & English.............................. 25 2.11. Summary, Discussion............................. 27 II. Modern Block Ciphers 28 3. Substitution-Permutation Networks 28 4. DES 32 5. AES 35 5.0.1. Overall Description (128 bit version)................ 36 5.0.2. Add Round Key............................ 37 5.0.3. Algebra................................ 37 5.0.4. Mix Columns............................. 37 5.0.5. Key Schedule............................. 40 5.0.6. Conclusion............................... 40 5.1. Modes of Operation.............................. 41 5.1.1. Galois Counter Mode......................... 44 III. Hash Functions 45 6. Basics 45 6.1. Types of Attacks............................... 46 6.2. Resources................................... 49 7. MD4 & MD5 50 8. SHA1 50 8.1. Merkle-Damg˚ardConstructions....................... 50 9. SHA-2 54 9.1. SHA-512.................................... 54 10.SHA3: Keccek 62 10.0.1. Sponge Function........................... 62 10.0.2. Operation............................... 64 11.Message Authentication Codes 68 12.Authentication & Password Management 69 12.1. Doing it Right................................. 70 2 12.2. Centralized Authentication Services & Protocols.............. 71 12.2.1. Breaking Passwords.......................... 73 IV. Public Key Cryptography 74 13.RSA 74 13.1. The System.................................. 74 13.1.1. Necessary Tools............................ 75 13.1.2. Repeated Squaring/Fast Binary Exponentiation.......... 75 13.1.3. Small example............................. 77 13.2. Foundations.................................. 78 13.2.1. Fermat's Little Theorem....................... 79 13.2.2. Euler's Theorem........................... 81 13.3. Primality Testing............................... 81 13.3.1. Fermat's Test............................. 82 13.3.2. Solovay-Strassen........................... 83 13.3.3. Miller-Rabin.............................. 85 13.3.4. Lucas-Lehmer............................. 88 13.3.5. Baillie-PSW.............................. 88 13.3.6. AKS.................................. 89 13.4. Factoring Attacks............................... 90 13.4.1. Trial Division & Sieve of Eratosthenes............... 91 13.4.2. Fermat's Factorization (and strong primes)............. 91 13.4.3. Pollard p − 1............................. 92 13.4.4. Pollard-Rho.............................. 95 13.4.5. Dixon's Method............................ 96 13.4.6. Quadratic Sieve............................ 99 13.4.7. Number Field Sieve.......................... 100 13.4.8. Elliptic Curve Factorization..................... 100 13.4.9. Shor's Algorithm: Quantum Factorization............. 100 13.5. Non-Factoring Attacks............................ 101 13.5.1. Exposing φ(n)............................. 101 13.5.2. Exposing The Decryption Exponent................. 101 13.5.3. Wiener's small a (decryption) attack................ 102 13.5.4. Chosen Ciphertext Attack...................... 102 13.5.5. Common Modulus Attack...................... 103 13.5.6. Hastad/Coppersmith Attack..................... 104 13.6. RSA In Practice................................ 104 13.6.1. Size of Modulus............................ 104 13.6.2. Choice of Exponent.......................... 105 13.6.3. Padding................................ 105 13.6.4. Chinese Remainder Theorem Speed Up............... 110 13.6.5. Misc.................................. 112 3 14.Discrete Logarithm 112 14.1. Problem.................................... 112 14.1.1. Preliminaries............................. 112 14.1.2. Definition............................... 114 14.1.3. Examples............................... 114 14.2. ElGamal System............................... 115 14.2.1. Examples............................... 116 14.3. Algorithms................................... 117 15.Elliptic Curve Cryptography 118 15.1. Elliptic Curves................................ 119 15.1.1. Elliptic Curves Over Zp ....................... 120 15.2. Example.................................... 121 15.3. Example Encryption System......................... 123 15.4. Additional Resources............................. 124 15.5. Curves in Practice.............................. 125 15.6. Curve25519.................................. 125 16.Diffie-Helman Key Exchange 125 17.Digital Signatures 126 V. Real-world Systems and Protocols 127 18.Transport Layer Security 127 18.1. OSI & TCP/IP Models............................ 127 18.2. TLS Handshake................................ 131 18.3. TLS algorithm suite............................. 133 18.4. TLS Versions & Problems.......................... 134 18.5. Other Issues.................................. 135 VI. Misc 136 19.Other Standards 136 20.Other Topics 136 21.Resources 137 21.1. Java Resources................................ 138 References 138 4 1. Introduction 1.1. Administrivia • Introduction • Roll • Blackboard resources • Syllabus and policies • Text books • Homework now available (due dates: TBD based on pace) • Project • Coursera: highly encouraged • What this course is: an introduction (Classical, modern ciphers, PK, hashes, etc.) • What this course is not: not a review of network protocols, not a pen testing, etc. • Mixture of theory and practice: neither in depth; both in breadth 1.2. What is Security? \A secure channel over which a message can be transmitted such that no one can eaves- drop" • Security involves storage, not just communication • A secure channel is not enough: what about the two end points? • Also need a mechanism for identification/authentication/non-repudiation \A system is secure if no untrusted party can gain access to information" • Edward Snowden \Security is ensuring that secrets are not revealed" • A locked box may not reveal any secrets, but it does reveal that secrets exist • A bank likely has money in it • Existence of communication indicates existence of entities communicating • Secure communication reveals a lot (you have a mole, existence of a spy etc.); honeypots \Security is a `solved' problem" • Data breaches and not going down • Potential loss and cost of breaches going up • Stakes will only increase • Most breaches are due to poor implementation, human error 5 • Not a solved problem Things to remember: • No such thing as perfect security • Security is a continuous process of escalation • Risk can only be mitigated, not eliminated • Catching the \bad" guy is not winning: if they got in, you already failed Security is a balance: • Convenience (if cost of usage is too high, users undermine it) • Efficiency • Provable vs. Probable security (theorists vs. pragmatists) The Big 4 and other Important Principles • Privacy and confidentiality • Integrity • Authentication • Non-repudiation • Communication scenarios and attack vectors • Kerckhoff's Principle: \A cryptographic system should be secure even if everything about the system, except the key, is public knowledge." • Obscurity is not security • Don't roll your own: in any real applications: { Don't implement your own adaptations of cryptographic algorithms { Don't invent your own algorithms or protocols { Don't mix cryptographic primitives into your own protocol { DO: rely on public and academic vetting of algorithms and protocols { DO: rely on well-established and tested libraries (some are even FIPS/NIST certified) { DO: have fun (roll your own for hobby/interest/this course) Course cavets: • I'm not a security expert or researcher • Lack of \current" resources; huge discipline, lots of RFCs, etc. • Suggestion: take Coursera's Security Specialization (free): https://www.coursera.org/specialization/cybersecurity/7/courses 1.3. Alphabet Soup DSA { Digital Signature Algorithm 6 ECDHE { Elliptic Curve Diffie-Hellman Ephemeral ECDSA { Elliptic Curve Digital Signature Algorithm FIPS { Federal Information Processing Standards ISO { International Organization for Standardization NIST { National Institute of Standards and Technology NSA { National Security Administration 7 Oscar Alice x eK (x) y Unsecure Channel Bob dK (y) x K Secure Channel Figure 1: Secure Communication Scenario Part I. Classical Ciphers & Cryptanalysis 2. Classical Ciphers 2.1. Basic Definitions Communication Scenario
Recommended publications
  • The Quadratic Sieve - Introduction to Theory with Regard to Implementation Issues

    The Quadratic Sieve - Introduction to Theory with Regard to Implementation Issues

    The Quadratic Sieve - introduction to theory with regard to implementation issues RNDr. Marian Kechlibar, Ph.D. April 15, 2005 Contents I The Quadratic Sieve 3 1 Introduction 4 1.1 The Quadratic Sieve - short description . 5 1.1.1 Polynomials and relations . 5 1.1.2 Smooth and partial relations . 7 1.1.3 The Double Large Prime Variation . 8 1.1.4 Problems to solve . 10 2 Quadratic Sieve Implementation 12 2.1 The Factor Base . 12 2.2 The sieving process . 15 2.2.1 Interval sieving and solution of polynomials . 16 2.2.2 Practical implementation . 16 2.3 Generation of polynomials . 17 2.3.1 Desirable properties of polynomials . 17 2.3.2 Assessment of magnitude of coecients . 18 2.3.3 MPQS - The Silverman Method . 20 2.3.4 SIQS principle . 21 2.3.5 Desirable properties of b . 22 2.3.6 SIQS - Generation of the Bi's . 23 2.3.7 Generation of b with Gray code formulas . 24 2.3.8 SIQS - General remarks on a determination . 26 2.3.9 SIQS - The bit method for a coecient . 27 2.3.10 SIQS - The Carrier-Wagsta method for a coecient . 28 2.4 Combination of the relations, partial relations and linear algebra 30 2.5 Linear algebra step . 31 2.6 The Singleton Gap . 32 1 3 Experimental Results 36 3.1 Sieving speed - dependence on FB size . 36 3.2 Sieving speed - dependence on usage of 1-partials . 38 3.3 Singletons - dependence on log(N) and FB size . 39 3.4 Properties of the sieving matrices .
  • Argon and Argon2

    Argon and Argon2

    Argon and Argon2 Designers: Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich University of Luxembourg, Luxembourg [email protected], [email protected], [email protected] https://www.cryptolux.org/index.php/Password https://github.com/khovratovich/Argon https://github.com/khovratovich/Argon2 Version 1.1 of Argon Version 1.0 of Argon2 31th January, 2015 Contents 1 Introduction 3 2 Argon 5 2.1 Specification . 5 2.1.1 Input . 5 2.1.2 SubGroups . 6 2.1.3 ShuffleSlices . 7 2.2 Recommended parameters . 8 2.3 Security claims . 8 2.4 Features . 9 2.4.1 Main features . 9 2.4.2 Server relief . 10 2.4.3 Client-independent update . 10 2.4.4 Possible future extensions . 10 2.5 Security analysis . 10 2.5.1 Avalanche properties . 10 2.5.2 Invariants . 11 2.5.3 Collision and preimage attacks . 11 2.5.4 Tradeoff attacks . 11 2.6 Design rationale . 14 2.6.1 SubGroups . 14 2.6.2 ShuffleSlices . 16 2.6.3 Permutation ...................................... 16 2.6.4 No weakness,F no patents . 16 2.7 Tweaks . 17 2.8 Efficiency analysis . 17 2.8.1 Modern x86/x64 architecture . 17 2.8.2 Older CPU . 17 2.8.3 Other architectures . 17 3 Argon2 19 3.1 Specification . 19 3.1.1 Inputs . 19 3.1.2 Operation . 20 3.1.3 Indexing . 20 3.1.4 Compression function G ................................. 21 3.2 Features . 22 3.2.1 Available features . 22 3.2.2 Server relief . 23 3.2.3 Client-independent update .
  • CASH: a Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection

    CASH: a Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection

    CASH: A Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection Jeremiah Blocki Anupam Datta Microsoft Research Carnegie Mellon University August 23, 2018 Abstract An adversary who has obtained the cryptographic hash of a user's password can mount an offline attack to crack the password by comparing this hash value with the cryptographic hashes of likely password guesses. This offline attacker is limited only by the resources he is willing to invest to crack the password. Key-stretching techniques like hash iteration and memory hard functions have been proposed to mitigate the threat of offline attacks by making each password guess more expensive for the adversary to verify. However, these techniques also increase costs for a legitimate authentication server. We introduce a novel Stackelberg game model which captures the essential elements of this interaction between a defender and an offline attacker. In the game the defender first commits to a key-stretching mechanism, and the offline attacker responds in a manner that optimizes his utility (expected reward minus expected guessing costs). We then introduce Cost Asymmetric Secure Hash (CASH), a randomized key-stretching mechanism that minimizes the fraction of passwords that would be cracked by a rational offline attacker without increasing amortized authentication costs for the legitimate authentication server. CASH is motivated by the observation that the legitimate authentication server will typically run the authentication procedure to verify a correct password, while an offline adversary will typically use incorrect password guesses. By using randomization we can ensure that the amortized cost of running CASH to verify a correct password guess is significantly smaller than the cost of rejecting an incorrect password.
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 –Block Ciphers and the Data Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on Stern's Chapter 3 code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious Fifth Edition that they didn't care how often Mungo read their messages, so confident were they in the by William Stallings impenetrability of the code. —Talking to Strange Men, Ruth Rendell Lecture slides by Lawrie Brown Modern Block Ciphers Block vs Stream Ciphers now look at modern block ciphers • block ciphers process messages in blocks, each one of the most widely used types of of which is then en/decrypted cryptographic algorithms • like a substitution on very big characters provide secrecy /hii/authentication services – 64‐bits or more focus on DES (Data Encryption Standard) • stream ciphers process messages a bit or byte at a time when en/decrypting to illustrate block cipher design principles • many current ciphers are block ciphers – better analysed – broader range of applications Block vs Stream Ciphers Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • needed since must be able to decrypt ciphertext to recover messages efficiently • bloc k cihiphers lklook like an extremely large substitution • would need table of 264 entries for a 64‐bit block • instead create from smaller building blocks • using idea of a product cipher 1 Claude
  • Feistel Like Construction of Involutory Binary Matrices with High Branch Number

    Feistel Like Construction of Involutory Binary Matrices with High Branch Number

    Feistel Like Construction of Involutory Binary Matrices With High Branch Number Adnan Baysal1,2, Mustafa C¸oban3, and Mehmet Ozen¨ 3 1TUB¨ ITAK_ - BILGEM,_ PK 74, 41470, Gebze, Kocaeli, Turkey, [email protected] 2Kocaeli University, Department of Computer Engineering, Faculty of Engineering, Institute of Science, 41380, Umuttepe, Kocaeli, Turkey 3Sakarya University, Faculty of Arts and Sciences, Department of Mathematics, Sakarya, Turkey, [email protected], [email protected] August 4, 2016 Abstract In this paper, we propose a generic method to construct involutory binary matrices from a three round Feistel scheme with a linear round function. We prove bounds on the maximum achievable branch number (BN) and the number of fixed points of our construction. We also define two families of efficiently implementable round functions to be used in our method. The usage of these families in the proposed method produces matrices achieving the proven bounds on branch numbers and fixed points. Moreover, we show that BN of the transpose matrix is the same with the original matrix for the function families we defined. Some of the generated matrices are Maximum Distance Binary Linear (MDBL), i.e. matrices with the highest achievable BN. The number of fixed points of the generated matrices are close to the expected value for a random involution. Generated matrices are especially suitable for utilising in bitslice block ciphers and hash functions. They can be implemented efficiently in many platforms, from low cost CPUs to dedicated hardware. Keywords: Diffusion layer, bitslice cipher, hash function, involution, MDBL matrices, Fixed points. 1 Introduction Modern block ciphers and hash functions use two basic layers iteratively to provide security: confusion and diffusion.
  • Fast Hashing and Stream Encryption with Panama

    Fast Hashing and Stream Encryption with Panama

    Fast Hashing and Stream Encryption with Panama Joan Daemen1 and Craig Clapp2 1 Banksys, Haachtesteenweg 1442, B-1130 Brussel, Belgium [email protected] 2 PictureTel Corporation, 100 Minuteman Rd., Andover, MA 01810, USA [email protected] Abstract. We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low work-factor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the stream cipher mode are demonstrated on a com- mercially available VLIW micro-processor. 1 Introduction Panama is a cryptographic module that can be used both as a cryptographic hash function and a stream cipher. It is designed to be very efficient in software implementations on 32-bit architectures. Its basic operations are on 32-bit words. The hashing state is updated by a parallel nonlinear transformation, the buffer operates as a linear feedback shift register, similar to that applied in the compression function of SHA [6]. Panama is largely based on the StepRightUp stream/hash module that was described in [4]. Panama has a low per-byte work factor while still claiming very high security. The price paid for this is a relatively high fixed computational overhead for every execution of the hash function. This makes the Panama hash function less suited for the hashing of messages shorter than the equivalent of a typewritten page. For the stream cipher it results in a relatively long initialization procedure. Hence, in applications where speed is critical, too frequent resynchronization should be avoided.
  • Fish-Stream Identification Guidebook

    Fish-Stream Identification Guidebook

    of BRITISH COLUMBIA Fish-stream Identification Guidebook Second edition Version 2.1 August 1998 BC Environment Fish-stream Identification Guidebook of BRITISH COLUMBIA Fish-stream Identification Guidebook Second edition Version 2.1 August 1998 Authority Forest Practices Code of British Columbia Act Operational Planning Regulation Canadian Cataloguing in Publication Data Main entry under title: Fish-stream identification guidebook. – 2nd ed. (Forest practices code of British Columbia) ISBN 0-7726-3664-8 1. Fishes – Habitat – British Columbia. 2. River surveys – British Columbia. 3. Forest management – British Columbia. 4. Riparian forests – British Columbia – Management. I. British Columbia. Ministry of Forests. SH177.L63F58 1998 634.9 C98-960250-8 Fish-stream Identification Guidebook Preface This guidebook has been prepared to help forest resource managers plan, prescribe and implement sound forest practices that comply with the Forest Practices Code. Guidebooks are one of the four components of the Forest Practices Code. The others are the Forest Practices Code of British Columbia Act, the regulations, and the standards. The Forest Practices Code of British Columbia Act is the legislative umbrella authorizing the Code’s other components. It enables the Code, establishes mandatory requirements for planning and forest practices, sets enforcement and penalty provisions, and specifies administrative arrangements. The regulations lay out the forest practices that apply province-wide. The chief forester may establish standards, where required, to expand on a regulation. Both regulations and standards are mandatory requirements under the Code. Forest Practices Code guidebooks have been developed to support the regulations, however, only those portions of guidebooks cited in regulation are part of the legislation.
  • Amy Bell Abilene, TX December 2005

    Amy Bell Abilene, TX December 2005

    Compositional Cryptology Thesis Presented to the Honors Committee of McMurry University In partial fulfillment of the requirements for Undergraduate Honors in Math By Amy Bell Abilene, TX December 2005 i ii Acknowledgements I could not have completed this thesis without all the support of my professors, family, and friends. Dr. McCoun especially deserves many thanks for helping me to develop the idea of compositional cryptology and for all the countless hours spent discussing new ideas and ways to expand my thesis. Because of his persistence and dedication, I was able to learn and go deeper into the subject matter than I ever expected. My committee members, Dr. Rittenhouse and Dr. Thornburg were also extremely helpful in giving me great advice for presenting my thesis. I also want to thank my family for always supporting me through everything. Without their love and encouragement I would never have been able to complete my thesis. Thanks also should go to my wonderful roommates who helped to keep me motivated during the final stressful months of my thesis. I especially want to thank my fiancé, Gian Falco, who has always believed in me and given me so much love and support throughout my college career. There are many more professors, coaches, and friends that I want to thank not only for encouraging me with my thesis, but also for helping me through all my pursuits at school. Thank you to all of my McMurry family! iii Preface The goal of this research was to gain a deeper understanding of some existing cryptosystems, to implement these cryptosystems in a computer programming language of my choice, and to discover whether the composition of cryptosystems leads to greater security.
  • Report on the AES Candidates

    Report on the AES Candidates

    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
  • Affine Cipher Project 1 Introduction

    Affine Cipher Project 1 Introduction

    Affine Cipher Project 141KECBZ0H5CRK1HUZK1CGPCR.5PUGUZU1WCU.CM1CUBHUCAK.6.Z5WCP1RK1UCH5 WC0EPU1KECU.C141KEC.UB1KXC,,RBHKV1PCWGRQ15P7CHCUHV1C.6CU9.CRGUG1P Directions: • Answer all numbered questions completely. • Show non-trivial work, and put your final answer in the box provided. • Questions without boxes should be answered in complete sentences in the space provided. 1 Introduction Cryptography is the study of secret codes, or the secure transmission of information that nobody except the desired recipient can read. By the end of this project, you will be able to decipher the quote printed above. The mathematical study of ciphers will lead us through a world in which the number line is a closed curve, and fractions do not exist. This project is designed to help you to: • read and understand definitions and notation • observe patterns and generalize • think logically, analytically, and abstractly • express problems and solutions precisely • follow examples • combine ideas to solve problems and create applications 1 2 Caesar Cipher A cipher is a function or algorithm for translating plaintext into encrypted ciphertext. Throughout history, governments and merchants have used ciphers to safely transmit sensitive information. Julius Caesar is said to have use a simple system of substituting each letter with the letter 3 spots over, wrapping around the alphabet if necessary. Here is the mapping: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z # # # # # # # # # # # # # # # # # # # # # # # # # # D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Space and punctuation are discarded.
  • Cryptographic Sponge Functions

    Cryptographic Sponge Functions

    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
  • Cryptanalysis of MD4

    Cryptanalysis of MD4

    Cryptanalysis of MD4 Hans Dobbertin German Information Security Agency P. O. Box 20 03 63 D-53133 Bonn e-maih dobbert inQskom, rhein .de Abstract. In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger mode of MD4. Recently wc have found an attack against two of three rounds of RIPEMD. As we shall show in the present note, the methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while previously only partial attacks were known. An implementation of our attack allows to find collisions for MD4 in a few seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance. 1 Introduction Rivest [7] introduced the hash function MD4 in 1990. The MD4 algorithm is defined as an iterative application of a three-round compress function. After an unpublished attack on the first two rounds of MD4 due to Merkle and an attack against the last two rounds by den Boer and Bosselaers [2], Rivest introduced the strengthened version MD5 [8]. The most important difference to MD4 is the adding of a fourth round. On the other hand the stronger mode RIPEMD [1] of MD4 was designed as a European proposal in 1992. The compress function of RIPEMD consists of two parallel lines of a modified version of the MD4 compress function. In [4] we have shown that if the first or the last round of its compress function is omitted, then RIPEMD is not collision-free.