DOCSLIB.ORG

Attacks on Cryptographic Hash Functions and Advances Arvind K

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347 Attacks on Cryptographic Hash Functions and Advances Arvind K. Sharma1, Dr.S.K. Mittal2, Dr.Sumit Mittal3 1,3 Department of Computer Applications (MMICT&BM) Maharishi Markandeshwar University, Mullana, Ambala (Haryana), India University School of Engineering & Technology2 Rayat Bahra University, Sahibzada Ajit Singh Nagar (Punjab), India Email: [email protected], [email protected], [email protected] Abstract: −− Cryptographic Hash Functions have a distinct importance in the area of Network Security or Internet Security as compare to Symmetric and Public Key Encryption-Decryption techniques. Major issues primarily which resolved by any hash algorithm, are to manage the Integrity and Authenticity of messages which are to be transmitting between communicating parties and users with digital signatures. Hash function also utilized for fixed length secrect key generation in Symmetric and Public Key Cryptosystems. Different level of security provided by different algorithms depending on how difficult is to break them. The most well-known hash algorithms are MD4, MD5, SHA, JH, Skein, Grøstl, Blake, Hamsi, Fugue, Crush, Whirlpool, Tav etc. In this paper we are discussing importance of hash functions, hash functions widely used in networking, most importantly various Attacks applicable on hash functions and compression functions utilized by hash functions. Keywords: Algorithms; Compression Function, Cipher; Stream; Block; Confidentiality; Integity; Authentication; Server; Message-Digest, Message-Block, Non-repudation;Differential; Communication between at-least two parties using a network may uses Encryption-Decryption 1. Introduction techniques to maintain privacy. And for Security and Privacy in interconnected authentication purpose apart from Encryption- domain means to preserve the Confidentiality, Decryption techniques Hash Functions most Integrity and Authenticity of messages as well as widely used. The world is becoming more manages the Accountability and Authorization of interconnected with the help of Internet and new resources to be used. Security initializes with networking technologies and there is huge Authorization i.e. enterance to particular system amount of personal, military, commercial, and commonly with the help of pre-specified government information on networking credentials like username and password. infrastructures worldwide available. So it‟s Network Security consists of the Policies important to find out who is transmitting critical adopted or Rules specified by a Network data and who is receving, this will be take care Analysist, Administrator or Cyber Security by accountabilty policies managed by Experts to prevent and track unauthorized access administrator. But how to identify wheather data (i.e., with ACL, Logs, Firewalls) and received by one user is sent or e-mailed by valid modification in system and, denial of a computer user or the data received is actual one and not network and network resources. If a user manipulated (i.e., Non-Repudation, Integrity). authorized to do something still, a firewall forces All these issues resolved by proving the to access policies or rules such as what services authenticity of data and user with the help of are allowed to be accessed for that network user hash function individually or with digital and to that user w.r.t. current location, as some signatures scheme. As these systems quite services only to be accessed by authorized users helpful for us to manage various networking in intranet not on internet. So these policies are problems, still these are vulnerable to attacks too, okay to prevent unauthorized access to system, so in this paper we‟re importantly focusing on but this component may fail to check potentially attacks which can be applied to hash functions or harmful content such as computer Worms or compression functions and it‟s level of impact. Trojans being transmitted over the network. Organization of the Paper: The rest of the Anti-virus software or an Intrusion Detection paper is organized as follow. Section II describe System (IDS) help detect the Malware. 1 Volume 5, Issue 11, November 2018 89 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347 in brief about Hash Functions and, Properties of easy to generate a message code of given Hash Functions and their Varients, Section III message but hard to generate a message back describe Types of Attacks and it‟s impact on from given digest. The fifth requirement also Hash Functions, we are winding our work with known as Second pre-image resistance or conclusion and my future work with some new Collision resistance property guarantees that an techniques. And at end acknowledgement, alternative message hashing to the same code as References takes place. a given message cannot be found. 2. Cryptographic Hash Functions The term hash function has been used in computer science and it refers to a function that compresses a message of arbitrary lenght to a message of fixed length called Message Digest. However if it satisfies some additional requirements, then it can be used for cryptographic applications and then known as Cryptographic Hash functions. Cryptographic Hash functions are most important tool in the stream of Security and Cryptography and are Fig 2.1: Hash Function [24] used to achieve a number of security goals like authenticity, digital signatures, pseudo number There are various Hash functions exists in the generation, digital time stamping etc. Hash history and current market, many of them are Function may be of two types Keyed and Un- used continuely from a decade in order to Keyed. Keyed Hash Functions use secret key provide services after updations, because of there (Salt) for computing the digest and these are also well known security and other properties. We‟re known as MAC (Message Authentication Code) using these variants as per requirements and but in other we are not using any secret key. when need ariese such that, for systems like Secret key can be distributed in a secure way also where lower level of security required like: OTP to the parties. It‟ll be nice to use random key generation for few seconds, or for few minutes or generation system there, or take a help of well in wireless sensons services it‟s better to use MD known technologies like Kerberos, Radius or family based hash function or light weight hash Certificates.. functions like: Locha, Photon, Quark etc. which have small digest size, because these services are One-way Hash Function (OWHF) defined by frequent onces and expired after a certain time Merkle [3] is a hash function „H‟, that satisfies period (Timestamp) so, there is no need to go for the following requirements: those hash functions which have a very complex 1. H can be applied to Block of data of any structure to execute through, high power length. (any length means size of Block must consumption and large digest size. On the other be greater than size of Digest we conclude at hand where we required to store Passwords, the end). Keys, etc. for long period of time it‟s highly 2. H produces a fixed-length output i.e., recommended that we opt for highly secure hash Message Digest. functions like: SHA family, SHA-1, SHA-2, SHA-3, JH, Skein, Grøstl, Blake, Hamsi, Fugue, 3. Given H and x (any given input), it is easy to Crush, Whirlpool, Tav etc. As I already computer Message Digest H(x). discussed in detail about variou Hash Function in 4. Given H and H(x), it is computationally my previously published Research article [32] so infeasible to find x. here I just closed this section just with MD(x) and SHA only. 5. Given H and H(x), it is computationally infeasible to find x and x‟ such that H(x) = MD(x) H(x‟). Ivan Damgard [2] and Ralph Merkle [3] in The first three requirements are must for 1989 independently proposed the iterative practical applications of a hash function to technique for construction of collision resistant message authentication and digital signatures. hash function by using fixed length input The fourth requirement also known as pre-image compression function. Both give proof(s) in their resistance or one way property, states that it is researh papers [3], [2] that if there exists a fixed 2 Volume 5, Issue 11, November 2018 90 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347 length collision resistant compression function: f: and the block permutation is applied if additional {0,1}a X {0,1}b → {0,1}c then one can design a output is desired. Central to the Sponge variable length input collision resistant hash construction is capacity „c‟ of hash function and function H: {0,1}* → {0,1}n ,by repeatedly it can be adjusted based on security requirements. iterating that compression function. This scheme SHA-3 [10] final round candidate algorithm is now mostly called Merkle-Damgard Keccak [10] is a hash function based on Sponge construction. construction only and it sets a conservative c = 2n, where „n‟ is the size of the output hash. Now SHA in the next section we‟re proceeding with various SHA is called Secure Hash Algorithms, types of attack(s) possible on cryptographic hash which is most widely used hash function till date function and it‟s insider compression function. in many different places like: Software(s), Websites, OS, Servers, Banking Systems and in 3. Attack on Hash Functions Back-end Databases etc. It was first proposed by Uses of Hash Functions is well known to National Institute of Standard and Technology persons who‟re working in the area of (NIST), United States in late 1993. It based on Cryptography i.e., branch of Networking and the same design strategy as used by MD(x) Securiy, As Hash functions properly providing family and was published as (FIPS-180) in 1993 necessary security services from long ago w.r.t.
Recommended publications
  • Cryptographic Hash Functions and Message Authentication Code

    Cryptographic Hash Functions and Message Authentication Code

    Cryptographic Hash Functions and Message Authentication Code Thierry Sans Cryptographic hashing H m1 m2 x1 m3 x2 H(m) = x is a hash function if • H is one-way function • m is a message of any length • x is a message digest of a fixed length ➡ H is a lossy compression function necessarily there exists x, m1 and m2 | H(m1) = H(m2) = x Computational complexity m H x • Given H and m, computing x is easy (polynomial or linear) • Given H and x, computing m is hard (exponential) ➡ H is not invertible Preimage resistance and collision resistance m H x PR - Preimage Resistance (a.k.a One Way) ➡ given H and x, hard to find m e.g. password storage 2PR - Second Preimage Resistance (a.k.a Weak Collision Resistance) ➡ given H, m and x, hard to find m’ such that H(m) = H(m’) = x e.g. virus identification CR - Collision Resistance (a.k.a Strong Collision Resistance) ➡ given H, hard to find m and m’ such that H(m) = H(m’) = x e.g. digital signatures CR → 2PR and CR → PR Hash functions in practice IV n’ bits n bits n’ bits Common hash functions m H x Name SHA-2 SHA-3 MD5 SHA-1 Variant SHA-224 SHA-256 SHA-384 SHA-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Year 1992 1993 2001 2012 Guido Bertoni, Joan Daemen, Michaël Designer Rivest NSA NSA Peeters, and Gilles Van Assche Input 512 512 512 512 1024 1024 1152 1088 832 576 n bits Output 128 160 224 256 384 512 224 256 384 512 n’ bits Speed 6.8 11.4 15.8 17.7 12.5 cycle/byte Considered Broken yes yes no no How to hash long messages ? Merkle–Damgård construction m split m in blocks of n bits and add padding p n bits m1
  • RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective

    RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective

    RESOURCE-EFFICIENT CRYPTOGRAPHY FOR UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective DISSERTATION for the degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr University Bochum, Germany by Elif Bilge Kavun Bochum, December 2014 Copyright © 2014 by Elif Bilge Kavun. All rights reserved. Printed in Germany. Anneme ve babama... Elif Bilge Kavun Place of birth: Izmir,˙ Turkey Author’s contact information: [email protected] www.emsec.rub.de/chair/ staff/elif bilge kavun Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Christian Rechberger Danmarks Tekniske Universitet, Denmark Thesis submitted: December 19, 2014 Thesis defense: February 6, 2015 v Abstract Technological advancements in the semiconductor industry over the last few decades made the mass production of very small-scale computing devices possible. Thanks to the compactness and mobility of these devices, they can be deployed “pervasively”, in other words, everywhere and anywhere – such as in smart homes, logistics, e-commerce, and medical technology. Em- bedding the small-scale devices into everyday objects pervasively also indicates the realization of the foreseen “ubiquitous computing” concept. However, ubiquitous computing and the mass deployment of the pervasive devices in turn brought some concerns – especially, security and privacy. Many people criticize the security and privacy management in the ubiquitous context. It is even believed that an inadequate level of security may be the greatest barrier to the long-term success of ubiquitous computing. For ubiquitous computing, the adversary model and the se- curity level is not the same as in traditional applications due to limited resources in pervasive devices – area, power, and energy are actually harsh constraints for such devices.
  • Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas

    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas

    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski ECE Department, George Mason University, Fairfax, VA 22030, U.S.A. {kgaj,ehomsiri,mrogawsk}@gmu.edu http://cryptography.gmu.edu Abstract. Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic stan- dards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and ac- ceptable for the majority of the cryptographic community. In this pa- per, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round 2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the de- velopment of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking. Keywords: benchmarking, hash functions, SHA-3, FPGA. 1 Introduction and Motivation Starting from the Advanced Encryption Standard (AES) contest organized by NIST in 1997-2000 [1], open contests have become a method of choice for select- ing cryptographic standards in the U.S. and over the world. The AES contest in the U.S. was followed by the NESSIE competition in Europe [2], CRYPTREC in Japan, and eSTREAM in Europe [3]. Four typical criteria taken into account in the evaluation of candidates are: security, performance in software, performance in hardware, and flexibility.
  • Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor

    Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor

    Hello, and welcome to this presentation of the STM32MP1 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 HASH1 is a secure peripheral (under ETZPC control through ETZPC_DECPROT0 bit 8) while HASH2 is a non secure peripheral. HASH1 instance can be allocated to: • The Arm® Cortex®-A7 secure core to be controlled in OP-TEE by the HASH OP-TEE driver or • The Arm® Cortex® -A7 non-secure core for using in Linux® with Linux Crypto framework HASH2 instance can be allocated to the Arm® Cortex®-M4 core to be controlled in the STM32Cube MPU Package using the STM32Cube HASH driver. HASH1 instance is used as boot device to support binary authentication. 3 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding.
  • Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS

    Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS

    Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols
  • Sharing Resources Between AES and the SHA-3 Second Round

    Sharing Resources Between AES and the SHA-3 Second Round

    Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo, Finland AES-inspired SHA-3 Candidates I Design strongly influenced by AES: Share the structure and have significant similarity in transformations, or even use AES as a subroutine I ECHO, Fugue, Grøstl, and SHAvite-3 I Benadjila et al. (ASIACRYPT 2009) studied useability of Intel’s AES instructions for AES-inspired candidates Conclusion: only ECHO and SHAvite-3, which use AES as a subroutine, benefit from the instructions I This is the first study of combining AES with the SHA-3 candidates on hardware (FPGA) The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Research Topics and Motivation Research Questions I What modifications are required to embed AES into the data path of the hash algorithm (or vice versa)? I How much resources can be shared (logic, registers, memory, . )? I What are the costs (area, delay, throughput, power consumption, . )? Applications I Any applications that require dedicated hardware implementations of a hash algorithm and a block cipher would benefit from reduced costs I Particularly important if resources are very limited The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Advanced Encryption Standard AES with a 128-bit key (AES-128) 8 I State: 4 × 4 bytes; each byte is an element of GF(2 ) I 10 rounds with four transformations Transformations I SubBytes: Bytes mapped
  • Grostl-Comment-April28.Pdf

    Grostl-Comment-April28.Pdf

    Some notes on Grøstl John Kelsey, NIST, April 2009 These are some quick notes on some properties and observations of Grøstl. Nothing in this note threatens the hash function; instead, I'm pointing out some properties that are a bit surprising, and some broad approaches someone might take to get attacks to work. I've discussed these with the Grøstl team, and gotten quite a bit of useful feedback. I'm pretty sure they agree that my observations are correct, but obviously, any errors here are mine alone. 1 Grøstl Compression Function The Grøstl compression function is built from two different fixed permutations, P and Q, on 2n bits, where n is the final hash output size. The design is quite interesting; among other things, this (like LANE and Luffa, among others) takes away the key schedule as a way of affecting things inside P and Q. Here is a picture of the Grøstl compression function: M Q v u w Y + P + Z In this diagram, I've labeled the input hash chaining value Y, the output Z, and the message M. Similarly, I have introduced variables for the internal values inside the compression function--u, v, and w. I'll use this notation a lot in the next few pages to simplify discussion. To write this in terms of equations: u = Y xor M v = Q(M) w = P(u) Z = v xor w xor Y or, in a shorter form: Z = Q(M) xor P(Y xor M) xor Y It's important to remember here that all variables are 2n bits, so for a 256-bit hash, they're 512 bits each.
  • Methods and Tools for Analysis of Symmetric Cryptographic Primitives

    Methods and Tools for Analysis of Symmetric Cryptographic Primitives

    METHODSANDTOOLS FOR ANALYSIS OF SYMMETRICCRYPTOGRAPHIC PRIMITIVES Oleksandr Kazymyrov dissertation for the degree of philosophiae doctor the selmer center department of informatics university of bergen norway DECEMBER 1, 2014 A CKNOWLEDGMENTS It is impossible to thank all those who have, directly or indirectly, helped me with this thesis, giving of their time and experience. I wish to use this opportunity to thank some of them. Foremost, I would like to express my very great appreciation to my main supervisor Tor Helleseth, who has shared his extensive knowledge and expe- rience, and made warm conditions for the comfortable research in one of the rainiest cities in the world. I owe a great deal to Lilya Budaghyan, who was always ready to offer assistance and suggestions during my research. Advice given by Alexander Kholosha has been a great help in the early stages of my work on the thesis. My grateful thanks are also extended to all my friends and colleagues at the Selmer Center for creating such a pleasant environment to work in. I am particularly grateful to Kjell Jørgen Hole, Matthew G. Parker and Håvard Raddum for the shared teaching experience they provided. Moreover, I am very grateful for the comments and propositions given by everyone who proofread my thesis. In addition, I would like to thank the administrative staff at the Department of Informatics for their immediate and exhaustive solutions of practical issues. I wish to acknowledge the staff at the Department of Information Tech- nologies Security, Kharkiv National University of Radioelectronics, Ukraine, especially Roman Oliynykov, Ivan Gorbenko, Viktor Dolgov and Oleksandr Kuznetsov for their patient guidance, enthusiastic encouragement and useful critiques.
  • Recommendation for Applications Using Approved Hash Algorithms

    Recommendation for Applications Using Approved Hash Algorithms

    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-107 Title: Recommendation for Applications Using Approved Hash Algorithms Publication Date(s): February 2009 Withdrawal Date: August 2012 Withdrawal Note: SP 800-107 is superseded in its entirety by the publication of SP 800-107 Revision 1 (August 2012). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-107 Revision 1 Title: Recommendation for Applications Using Approved Hash Algorithms Author(s): Quynh Dang Publication Date(s): August 2012 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.107r1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-107 Rev. 1 (as of August 12, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϭϮ, 2015 NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department of Commerce Otto J. Wolff, Acting Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NIST SP 800-107 Abstract Cryptographic hash functions that compute a fixed- length message digest from arbitrary length messages are widely used for many purposes in information security. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3.
  • Rebound Attack

    Rebound Attack

    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
  • Modes of Operation for Compressed Sensing Based Encryption

    Modes of Operation for Compressed Sensing Based Encryption

    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
  • A Short Note on AES-Inspired Hashes

    A Short Note on AES-Inspired Hashes

    A Short Note on AES-Inspired Hashes Tor E. Bjørstad University of Bergen, Norway Email : [email protected] 1 Introduction This paper gives a rough classification of various AES-based hash algorithms that have been accepted for Round 1 of the NIST Hash Function Competition. We compare the different algorithms based on the number of \AES-like" rounds performed by a single invocation of the compression function, versus the size of the input block. This is not particularly rigorous or scientific way of comparing hash algorithms, but as we shall see it may still yield somewhat interesting results. With the exception of Sarmal and Whirlpool, all the listed algorithms use the AES S-box as their only source of nonlinearity. How they use it is a different matter. What all the algorithms do have in common, is that they use the 8 bit S-box together with a MDS matrix, in a construction where SubBytes() and MixColumns() are applied after one another on some internal data structure. The actual MDS matrices used are frequently different from the one in AES; for instance, Fugue uses a 16 × 16 matrix. For the sake of comparison, the number of of rounds has been normalised to correspond to those of AES-128. This is not entirely fair, but it would be hard to make any comparison between the internals of such wildly different hash algorithms without making some (over)simplifications. The reader is invited to take note of 3 main observations. First, there is a very wide spread between the number of \rounds" used by the different algorithms { but a strong tendency of clustering.