DOCSLIB.ORG

Lecture Notes in Computer Science 2355 Edited by G

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Lecture Notes in Computer Science 2355 Edited by G Lecture Notes in Computer Science 2355 Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 3 Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo Mitsuru Matsui (Ed.) Fast Software Encryption 8th International Workshop, FSE 2001 Yokohama, Japan, April 2-4, 2001 Revised Papers 13 Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editor Mitsuru Matsui Mitsubishi Electric Corporation 5-1-1 Ofuna Kamakura Kanagawa, 247-8501, Japan E-mail: [email protected] Cataloging-in-Publication Data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Fast software encryption : 8th international workshop ; proceedings / FSE 2001, Yokohama, Japan, April2-4,2001. Mitsuru Matsui (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Tokyo : Springer, 2002 (Lecture notes in computer science ; Vol. 2355) ISBN 3-540-43869-6 CR Subject Classification (1998): E.3, F.2.1, E.4, G.4 ISSN 0302-9743 ISBN 3-540-43869-6 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. Springer-Verlag Berlin Heidelberg New York a member of BertelsmannSpringer Science+Business Media GmbH http://www.springer.de © Springer-Verlag Berlin Heidelberg 2002 Printed in Germany Typesetting: Camera-ready by author, data conversion by PTP Berlin, Stefan Sossna e. K. Printed on acid-free paper SPIN 10870083 06/3142 543210 Preface Fast Software Encryption is an eight-year-old workshop on symmetric crypto- graphy, including the design and cryptanalysis of block and stream ciphers, as well as hash functions. The first Fast Software Encryption Workshop was held in Cambridge in 1993, followed by Leuven in 1994, Cambridge in 1996, Haifa in 1997, Paris in 1998, Rome in 1999, and New York in 2000. This Fast Software Encryption Workshop, FSE 2001, was held from 2-4 April 2001 in Yokohama, Japan, in cooperation with the Institute of Industrial Science, of the University of Tokyo. This year a total of 46 papers were submitted to FSE 2001. After a two- month review process, 27 papers were accepted for presentation at the workshop. In addition, we were fortunate to be able to organize a special talk by Bart Preneel on the NESSIE project, a European initiative to evaluate cryptographic algorithms. The committee of this workshop was: General Chair Hideki Imai (The University of Tokyo) Program Committee Ross Anderson (Cambridge Univ.) Eli Biham (Technion) Cunsheng Ding (Singapore) Henri Gilbert (France Telecom) Dieter Gollman (Microsoft) Thomas Johansson (Lund Univ.) Lars Knudsen (Bergen Univ.) James Massey (Denmark) Mitsuru Matsui (Mitsubishi Electric, Chair) Kaisa Nyberg (Nokia) Bart Preneel (Katholieke Univ. Leuven) Bruce Schneier (Counterpane) We would like to thank all submitting authors and the committee members for their hard work. We are also appreciative of the financial support provided by Mitsubishi Electric Corporation. Special thanks are due to Toshio Tokita, Junko Nakajima, Yasuyuki Sakai, Seiichi Amada, Toshio Hasegawa, Katsuyuki Takashima, and Toru Sorimachi for their efforts in making the local arrangements for this workshop. We were very pleased and honored to host the first FSE workshop held in Asia. Finally, we are also happy to announce that the next FSE will be the first FSE workshop sponsored by International Association for Cryptologic Research (IACR). May 2002 Mitsuru Matsui Table of Contents Cryptanalysis of Block Ciphers I The Saturation Attack – A Bait for Twofish ........................... 1 Stefan Lucks Linear Cryptanalysis of Reduced Round Serpent ....................... 16 Eli Biham, Orr Dunkelman, Nathan Keller Cryptanalysis of the Mercy Block Cipher ............................. 28 Scott R. Fluhrer Hash Functions and Boolean Functions Producing Collisions for PANAMA ................................... 37 Vincent Rijmen, Bart Van Rompay, Bart Preneel, Joos Vandewalle The RIPEMDL and RIPEMDR Improved Variants of MD4 Are Not Collision Free ...................................................... 52 Christophe Debaert, Henri Gilbert New Constructions of Resilient Boolean Functions with Maximal Nonlinearity ....................................................... 66 Yuriy Tarannikov Modes of Operations Optimized Self-Synchronizing Mode of Operation ...................... 78 Ammar Alkassar, Alexander Geraldy, Birgit Pfitzmann, Ahmad-Reza Sadeghi Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes .............................................. 92 Virgil D. Gligor, Pompiliu Donescu Incremental Unforgeable Encryption ..................................9 Enrico Buonanno, Jonathan Katz, Moti Yung Cryptanalysis of Stream Ciphers I ZIP Attacks with Reduced Known Plaintext ...........................125 Michael Stay Cryptanalysis of the SEAL 3.0 Pseudorandom Function Family ..........135 Scott R. Fluhrer VIII Table of Contents Cryptanalysis of SBLH .............................................144 Goce Jakimovski, Ljupˇco Kocarev A Practical Attack on Broadcast RC4 ................................152 Itsik Mantin, Adi Shamir Cryptanalysis of Block Ciphers II Improved Square Attacks against Reduced-Round Hierocrypt ........165 Paulo S.L.M. Barreto, Vincent Rijmen, Jorge Nakahara, Bart Preneel, Joos Vandewalle, Hae Y. Kim Differential Cryptanalysis of Q .......................................174 Eli Biham, Vladimir Furman, Michal Misztal, Vincent Rijmen Differential Cryptanalysis of Nimbus .................................187 Vladimir Furman Cryptanalysis of Stream Ciphers II Fast Correlation Attack Algorithm with List Decoding and an Application .......................................................196 Miodrag J. Mihaljevi´c, Marc P.C. Fossorier, Hideki Imai Bias in the LEVIATHAN Stream Cipher ..............................211 Paul Crowley, Stefan Lucks Analysis of SSC2...................................................219 Daniel Bleichenbacher, Willi Meier Pseudo-Randomness Round Security and Super-Pseudorandomness of MISTY Type Structure ....................................................233 Tetsu Iwata, Tomonobu Yoshino, Tomohiro Yuasa, Kaoru Kurosawa New Results on the Pseudorandomness of Some Blockcipher Constructions .....................................................248 Henri Gilbert, Marine Minier FSE2001 Special Talk NESSIE: A European Approach to Evaluate Cryptographic Algorithms ...267 Bart Preneel Cryptanalysis of Block Ciphers III Related Key Attacks on Reduced Round KASUMI .....................277 Mark Blunden, Adrian Escott Table of Contents IX Security of Camellia against Truncated Differential Cryptanalysis ........286 Masayuki Kanda, Tsutomu Matsumoto Impossible Differential Cryptanalysis of Zodiac ........................300 Deukjo Hong, Jaechul Sung, Shiho Moriai, Sangjin Lee, Jongin Lim Design and Evaluation The Block Cipher SC00 ...........................................312 Takeshi Shimoyama, Hitoshi Yanami, Kazuhiro Yokoyama, Masahiko Takenaka, Kouichi Itoh, Jun Yajima, Naoya Torii, Hidema Tanaka Flaws in Differential Cryptanalysis of Skipjack .........................328 Louis Granboulan Efficient Algorithms for Computing Differential Properties of Addition ..........................................................336 Helger Lipmaa, Shiho Moriai Author Index .................................................351 The Saturation Attack – A Bait for Twofish Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim, Germany [email protected] Abstract. This paper introduces the notion of a “saturation attack”. Consider a permutation p over w-bit words. If p is applied to all 2w dis- joint words, the set of outputs is exactly the same as the set of inputs. A saturation attack exploits this fact. The current paper applies saturation attacks on reduced-round variants of the Twofish block cipher with up to seven rounds with full whitening or eight rounds without whitening at the end (i.e., half of the cipher). The attacks take up to 2127 chosen plaintexts (half of the codebook) and are 2–4 times faster than exhaustive search. The attacks are based on key-independent distinguishers for up to six rounds of Twofish, making extensive use of saturation properties. 1 Introduction Modern b-bit block ciphers often use permutations p : {0, 1}w →{0, 1}w with w<bas building blocks. E.g., p may be an S-box, a round function, or a group operation where one of the operands is constant. The constant may be unknown to the cryptanalyst, e.g. as a part of the (round) key. We regard the input for p as a data channel. For the cryptanalyst, p may be known or unknown, and the cryptanalysts may be unable to determine the input for p.A“saturation attack” is based on the idea of choosing a set of k ∗ 2w plaintexts such that each of the 2w inputs for p occurs exactly k times. In this case, we say that the data channel into p is “saturated”. A saturation attack exploits the fact that if
Load more

Recommended publications
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • SAEB: a Lightweight Blockcipher-Based AEAD Mode of Operation
    SAEB: A Lightweight Blockcipher-Based AEAD Mode of Operation Yusuke Naito1, Mitsuru Matsui1, Takeshi Sugawara2 and Daisuke Suzuki1 1 Mitsubishi Electric Corporation, Japan {Naito.Yusuke@ce,Matsui.Mitsuru@ab,Suzuki.Daisuke@bx}.MitsubishiElectric.co.jp 2 The University of Electro-Communications, Japan [email protected] Abstract. Lightweight cryptography in computationally constrained devices is ac- tively studied. In contrast to advances of lightweight blockcipher in the last decade, lightweight mode of operation is seemingly not so mature, yet it has large impact in performance. Therefore, there is a great demand for lightweight mode of oper- ation, especially that for authenticated encryption with associated data (AEAD). Among many known properties of conventional modes of operation, the following four properties are essential for constrained devices: 1. Minimum State Size: the state size equals to a block size of a blockcipher. 2. Inverse Free: no need for a blockcipher decryption. 3. XOR Only: only XOR is needed in addition to a blockcipher encryption. 4. Online: a data block is processed only once. The properties 1 and 4 contribute to small memory usage, and the properties 2 and 3 contribute to small program/circuit footprint. On top of the above properties, the fifth property regarding associated data (AD) is also important for performance: 5. Efficient Handling of Static AD: static AD can be precomputed. We design a lightweight blockcipher-based AEAD mode of operation called SAEB: the first mode of operation that satisfies all the five properties to the best of our knowledge. Performance of SAEB is evaluated in various software and hardware platforms.
    [Show full text]
  • Item Box Subject Author Title Exps Pages Size Inches Pub. Date Grand
    Item Box Subject Author Title Exps Pages Size Inches Pub. Date Grand Total: 3, 139, 369, 104, 343, 159, [and the 210 Namibian 51, 612, 191, 21, 44, 1, 39, 95, 428, docs so far is 2809] (2599) Central Africa:3 1 Central Africa—General Economics UNECA Subregional Strategies 19 32 8x11.5 Hints to Businessmen Visiting The London Board of 2 Central Africa—General Economics Congo (Brazzaville), Chad, Gabon 19 32 4.75x7.125 Trade and Central African Republic Purpose and Perfection Pottery as 3 Central Africa—General Art The Smithsonian Institution 3 4 8x9.25 a Woman's Art in Central Africa Botswana:139 National Institute of Access to Manual Skills Training in 1 Botswana—Bibliographies Bibliography Development and Cultural Botswana: An Annotated 9 13 8x11.5 Research Bibliography Social Thandiwe Kgosidintsi and 2 Botswana—Bibliographies Sciences—Information Publishing in Botswana 2 2 8.5x11 Neil Parsons Science National Institute of 3 Botswana—Bibliographies Bibliography Development Rearch and Working Papers 5 8 5.75x8.25 Documentation University of Botswana and Department of Library Studies 1 Botswana—Social Sciences Social Sciences 28 25 8.25x11.75 Swaziland Prospectus Social Refugees In Botswana: a Policy of 2 Botswana—Social Sciences United Nations 3 7 4.125x10.5 Sciences—Refugees Resettlement Projet De College Exterieur Du 3 Botswana—Social Sciences Social Sciences unknown 3 3 8.25x11.75 Botswana Community Relations in Botswana, with special reference to Francistown. Statement 4 Botswana—Social Sciences Social Sciences Republic of Botswana Delivered to the National Assembly 4 5 5.5x8 1971 by His Honor the Vice President Dt.
    [Show full text]
  • Implementation and Evaluation of Secure Industrial Ethernet Communication
    Implementation and Evaluation of Secure Industrial Ethernet Communication Master of Science Thesis, Communication Engineering KAN YU Department of Signals and Systems CHALMERS UNIVERSITY OF TECHNOLOGY Göteborg, Sweden, August 2010 Page 2/88 Abstract Automation network security becomes increasingly important due to the introduction of Ethernet- based fieldbus protocols and cryptographic algorithms play a vital important role in these protocols. Choosing the most suitable cryptographic algorithms under consideration of security and performance according to different application cases is essential. In this thesis, we first present a comprehensive survey of most commonly used cryptographic algorithms which can be applied in automation networks and then identify our candidates based on existing literature and related works for further evaluation in ARM platform for industrial purpose. Finally, according to our evaluation results, we choose suitable algorithms for different applications: for symmetric algorithms, Twofish is recommended for best performance and eXtended Tiny Encryption Algorithm (XTEA) and Corrected Block Tiny Encryption Algorithm (XXTEA) are recommended for the least footprint; for Message Authentication Code (MAC) algorithms, UMAC is strongly recommended for excellent speed; for asymmetric algorithms, Elliptic Curve Cryptography (ECC) has much better performance than RSA at the same security level in our platform. Page 3/88 TABLE OF CONTENTS 1 INTRODUCTION ..................................................................................................................................
    [Show full text]
  • Cs 255 (Introduction to Cryptography)
    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
    [Show full text]
  • Kriptografske Tehničke Sigurnosne Mjere
    Sigurnost računalnih sustava Computer Systems Security Kriptografske tehničke sigurnosne mjere Marin Golub Sadržaj • Uvod: Jesu li i koliko su kriptoalgoritmi sigurni? • Napadi na simetrične i asimetrične kriptosustave • Asimetrični kriptosustavi – Kriptosustavi zasnovani na eliptičkim krivuljama • Funkcije za izračunavanje sažetka poruke – Napadi na funkcije za izračunavanje sažetka poruke – Elektronički vs. digitalni potpis – SHA-2 i SHA-3 • Kvantna kriptografija • Natječaji za nove kriptografske algoritme koji su u tijeku – Kriptografija prilagođena ugrađenim računalima (Lightweight Cryptography ) – Asimetrična kriptografija nakon kvantnih računala (Post-Quantum Cryptography ) SRS-Crypto-2/79 Osnovni pojmovi Kriptologija = kriptografija + kriptoanaliza Kriptografija • znanstvena disciplina (ili umjetnost?) sastavljanja poruka sa ciljem skrivanja sadržaja poruka Kriptoanaliza • znanstvena disciplina koja se bavi analizom skrivenih aspekata sustava i koristi se kako bi se ispitala (ili narušila) sigurnost kriptografskog sustava SRS-Crypto-3/79 Jesu li i koliko su kriptoalgoritmi sigurni? • Postoje specijalizirana računala za napad grubom silom na DES kriptosustav: COPACOBANA (A Cost-Optimized PArallel COde Breaker) • 12.12.2009. faktoriziran RSA-768 • na kvantnom računalu je riješen problem faktoriziranja velikih brojeva i problem diskretnog logaritma • 17.8.2004. - kineski i francuski znanstvenici su objavili članak pod naslovom: "Kolizija za hash funkcije: MD4, MD5, Haval-128 i RIPEMD" • 13.2.2005. - kineski znanstvenici: "Collision
    [Show full text]
  • Improved Meet-In-The-Middle Distinguisher on Feistel Schemes
    Improved Meet-in-the-Middle Distinguisher on Feistel Schemes Li Lin1;2 and Wenling Wu1 1 Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China 2 Graduate University of Chinese Academy of Sciences, Beijing 100190, China flinli, [email protected] Abstract. Improved meet-in-the-middle cryptanalysis with efficient tab- ulation technique has been shown to be a very powerful form of crypt- analysis against SPN block ciphers. However, few literatures show the ef- fectiveness of this cryptanalysis against Balanced-Feistel-Networks (BFN) and Generalized-Feistel-Networks (GFN) ciphers due to the stagger of affected trail and special truncated differential trail. In this paper, we de- scribe a versatile and powerful algorithm for searching the best improved meet-in-the-middle distinguisher with efficient tabulation technique on word-oriented BFN and GFN block ciphers, which is based on recursion and greedy algorithm. To demonstrate the usefulness of our approach, we show key recovery attacks on 14/16-round CLEFIA-192/256 which are the best attacks. We also propose key recovery attacks on 13/15-round Camellia-192/256 (without F L=F L−1). Keywords: Block Ciphers, Improved Meet-in-the-Middle Attack, Effi- cient Tabulation Technique, Automatic Search Tool, Truncated Differ- ential Trail, CLEFIA, Camellia. 1 Introduction The meet-in-the-middle attack was first proposed by Diffie and Hellman to attack DES [7]. In recent years, it was widely researched due to its effectiveness against block cipher AES [4]. For AES, Gilbert and Minier showed in [10] a collision attack on 7-round AES.
    [Show full text]
  • Stream Cipher Designs: a Review
    SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing.
    [Show full text]
  • Eurocrypt'2000 Conference Report
    Eurocrypt'2000 Conference Report May 15–18, 2000 Bruges Richard Graveman Telcordia Technologies Morristown, NJ USA [email protected] Welcome This was the nineteenth annual Eurocrypt conference. Thirty-nine out of 150 papers were accepted, and there were two invited talks along with the traditional rump session. About 480 participants from 39 countries were present. Bart Preneel was Program Chair. The Proceedings were published by Springer Verlag as Advances in Cryptology— Eurocrypt'98, Lecture Notes in Computer Science, Volume 1807, Bart Preneel, editor. Session 1: Factoring and Discrete Logarithm, Chair: Bart Preneel Factorization of a 512-bit RSA Modulus, Stefania Cavallar (CWI, The Netherlands), Bruce Dodson (Lehigh University, USA), Arjen K. Lenstra (Citibank, USA), Walter Lioen (CWI, The Netherlands), Peter L. Montgomery (Microsoft Research, USA and CWI, The Netherlands), Brian Murphy (The Australian National University, Australia), Herman te Riele (CWI, The Netherlands), Karen Aardal (Utrecht University, The Netherlands), Jeff Gilchrist (Entrust Technologies Ltd., Canada), Gérard Guillerm (École Polytechnique, France), Paul Leyland (Microsoft Research Ltd., UK), Joël Marchand (École Polytechnique/CNRS, France), François Morain (École Polytechnique, France), Alec Muffett (Sun Microsystems, UK), Chris and Craig Putnam (USA), Paul Zimmermann (Inria Lorraine and Loria, France) The authors factored the RSA challenge number RSA-512 with the general number field sieve (NFS). The algorithm has four steps: polynomial selection, sieving, linear algebra, and square root extraction. For N known to be composite, two irreducible polynomials with a common root mod N are needed. f1 (of degree 5 in this case) should have many roots modulo small primes as well as being as small as possible.
    [Show full text]
  • Security Analysis of BLAKE2's Modes of Operation
    Security Analysis of BLAKE2’s Modes of Operation Atul Luykx1, Bart Mennink1 and Samuel Neves2 1 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium [email protected], [email protected] 2 CISUC, Dept. of Informatics Engineering, University of Coimbra, Portugal [email protected] Abstract. BLAKE2 is a hash function introduced at ACNS 2013, which has been adopted in many constructions and applications. It is a successor to the SHA-3 finalist BLAKE, which received a significant amount of security analysis. Nevertheless, BLAKE2 introduces sufficient changes so that not all results from BLAKE carry over, meaning new analysis is necessary. To date, all known cryptanalysis done on BLAKE2 has focused on its underlying building blocks, with little focus placed on understanding BLAKE2’s generic security. We prove that BLAKE2’s compression function is indifferentiable from a random function in a weakly ideal cipher model, which was not the case for BLAKE. This implies that there are no generic attacks against any of the modes that BLAKE2 uses. Keywords: BLAKE · BLAKE2 · hash function · indifferentiability · PRF 1 Introduction Widespread adoption of cryptographic algorithms in practice often occurs regardless of their scrutiny by the cryptographic community. Although competitions such as AES and SHA-3 popularize thoroughly analyzed algorithms, they are not the only means with which practitioners find new algorithms. Standards, textbooks, and social media are sometimes more effective than publications and competitions. Nevertheless, analysis of algorithms is important regardless of how they were pop- ularized, and can result in finding insecurities, but also new techniques. For example, the PLAID protocol avoided cryptographic scrutiny by being standardized via the Cards and personal identification subcommittee of ISO, instead of via the Cryptography and security mechanisms working group, and when properly analyzed, PLAID turned out to be significantly weaker than claimed [DFF+14].
    [Show full text]
  • New Generic Attacks on Hash-Based Macs
    Introduction New generic attacks HMAC-GOST key-recovery Conclusion . New Generic Attacks on Hash-based MACs Gaëtan Leurent, Thomas Peyrin, Lei Wang Inria, France UCL, Belgium Nanyang Technological University, Singapore Asiacrypt 2013 G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 Introduction New generic attacks HMAC-GOST key-recovery Conclusion . Message Authentication Codes . Alice M, t Bob ▶ Alice sends a message to Bob ▶ Bob wants to authenticate the message. ▶ Alice use a key k to compute a tag: t = MACk(M) ? ▶ Bob verifies the tag with the same key k: t = MACk(M) ▶ Symmetric equivalent to digital signatures G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 2 / 22 Introduction New generic attacks HMAC-GOST key-recovery Conclusion . MAC Constructions ▶ Dedicated designs ▶ PelicanMAC, SQUASH, SipHash ▶ From universal hash functions ▶ UMAC, VMAC, Poly1305 ▶ From block ciphers ▶ CBCMAC, OMAC, PMAC ▶ From hash functions ▶ HMAC, SandwichMAC, EnvelopeMAC G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 3 / 22 Introduction New generic attacks HMAC-GOST key-recovery Conclusion . MAC Constructions ▶ Dedicated designs ▶ PelicanMAC, SQUASH, SipHash ▶ From universal hash functions ▶ UMAC, VMAC, Poly1305 ▶ From block ciphers ▶ CBCMAC, OMAC, PMAC ▶ From hash functions ▶ HMAC, SandwichMAC, EnvelopeMAC G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 3 / 22 Introduction New generic attacks HMAC-GOST key-recovery Conclusion . HMAC ▶ HMAC has been designed by Bellare, Canetti, and Krawczyk in 1996 ▶ Standardized by ANSI, IETF, ISO, NIST. ▶ Used in many applications: ▶ To provide authentication: ▶ SSL, IPSEC, ... ▶ To provide identification: ▶ Challengeresponse protocols ▶ CRAMMD5 authentication in SASL, POP3, IMAP, SMTP, ..
    [Show full text]
  • Limdolen a Lightweight Authenticated Encryption Algorithm
    Limdolen A Lightweight Authenticated Encryption Algorithm Carl E. Mehner March 2019 Abstract. This document defines the Limdolen Authenticated Encryption with Associated Data (AEAD) system including the overall AEAD specific algorithm and the core encryption round function. The system takes as input variable-length plaintext, variable length associated data, a fixed-length nonce, and a fixed-length key and creates as output a fixed-length authentication tag and variable-length ciphertext. Keywords:​ Lightweight Cryptography , Limdolen , AEAD , AXR Introduction 1 Terminology 3 Encryption and Decryption 4 Parameters 4 Limdolen Recommended Parameter Lengths 4 Round Function 4 Round Key 4 Input - 128-bit 6 Input - 256-bit 8 Limdolen AEAD 9 Calculating the Tag Value 9 Creating the Ciphertext 12 Decryption 13 Security Claims 14 Security Analysis 15 Performance and Implementation 18 Algorithm Features 19 References 20 Introduction Limdolen (meaning “swift secret” in the Sindarin language), is a block based cipher with two defined family members, 128-bit and 256-bit. This paper describes one method of creating cipher text using the Limdolen round function, however, other methods may be defined in the future using the same core round function. Each of the functions and calculations in this algorithm are able to use a maximum size of one 8-bit byte in order to better work with devices that are more constrained in their processor architecture. The AEAD construction that uses the round function is, at a high level, similar to the PMAC SIV [04] algorithm (Parallelizable Message Authentication Code; Synthetic Initialization Vector) created by Phillip Rogaway but has been adapted in several key ways to accommodate the lower power and lower memory footprints of lightweight devices.
    [Show full text]