DOCSLIB.ORG

Performance Evaluation and Comparison of Standard Cryptographic Algorithms and Chinese Cryptographic Algorithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Master of Science in Engineering: Computer Security May 2019 Performance Evaluation and Comparison of Standard Cryptographic Algorithms and Chinese Cryptographic Algorithms Louise Bergman Martinkauppi Qiuping He Faculty of Computing, Blekinge Institute of Technology, 371 79 Karlskrona, Sweden This thesis is submitted to the Faculty of Computing at Blekinge Institute of Technology in partial fulfilment of the requirements for the degree of Master of Science in Engineering: Computer Security. The thesis is equivalent to 20 weeks of full time studies. The authors declare that they are the sole authors of this thesis and that they have not used any sources other than those listed in the bibliography and identified as references. They further declare that they have not submitted this thesis at any other institution to obtain a degree. Contact Information: Author(s): Louise Bergman Martinkauppi E-mail: [email protected] Qiuping He E-mail: [email protected] University advisor: Senior Lecturer Dragos Ilie Department of Computer Science and Engineering Faculty of Computing Internet : www.bth.se Blekinge Institute of Technology Phone : +46 455 38 50 00 SE–371 79 Karlskrona, Sweden Fax : +46 455 38 50 57 Abstract Background. China is regulating the import, export, sale, and use of encryption technology in China. If any foreign company wants to develop or release a product in China, they need to report their use of any encryption technology to the Office of State Commercial Cryptography Administration (OSCCA) to gain approval. SM2, SM3, and SM4 are cryptographic standards published by OSCCA and are authorized to be used in China. To comply with Chinese cryptography laws organizations and companies may have to replace standard cryptographic algorithms in their systems with Chinese cryptographic algorithms, such as SM2, SM3, and SM4. It is important to know beforehand how the replacement of algorithms will impact performance to determine future system costs. Objectives. Perform a theoretical study and performance comparison of the stan- dard cryptographic algorithms and Chinese Cryptographic algorithms. The standard cryptographic algorithms studied are RSA, ECDSA, SHA-256, and AES-128, and the Chinese cryptographic algorithms studied are SM2, SM3, and SM4. Methods. A literature analysis was conducted to gain knowledge and collect infor- mation about the selected cryptographic algorithms in order to make a theoretical comparison of the algorithms. An experiment was conducted to get measurements of how the algorithms perform and to be able to rate them. Results. The literature analysis provides a comparison that identifies design simi- larities and differences between the algorithms. The controlled experiment provides measurements of the metrics of the algorithms mentioned in objectives. Conclusions. The conclusions are that the digital signature algorithms SM2 and ECDSA have similar design and also similar performance. SM2 and RSA have funda- mentally different designs, and SM2 performs better than RSA when generating keys and signatures. When verifying signatures, RSA shows comparable performance in some cases and worse performance in other cases. Hash algorithms SM3 and SHA- 256 have many design similarities, but SHA-256 performs slightly better than SM3. AES-128 and SM4 have many similarities but also a few differences. In the controlled experiment, AES-128 outperforms SM4 with a significant margin. Keywords: cryptography, performance, SM2, SM3, SM4 i Sammanfattning Bakgrund. Kina reglerar import, export, försäljning och användning av krypter- ingsteknologi i Kina. Om ett utländskt företag vill utveckla eller släppa en produkt i Kina måste de rapportera sin användning av krypteringsteknologi till Office of State Commercial Cryptography Administration (OSCCA) för godkännande. SM2, SM3 och SM4 är kryptografiska standarder som lagligt får används i Kina. Organisationer och företag kan behöva byta ut krypteringsalgoritmerna i sina system till kinesiska krypteringsalgoritmer för att uppfylla kraven för de kinesiska lagarna. Det är därför viktigt att i förväg veta hur ersättningen av algoritmer kommer att påverka prestan- dan för att utvärdera framtida kostnader för systemet. Syfte. Genomföra en teoretisk studie och prestanda jämförelse av standard krypter- ingsalgoritmer och kinesiska krypteringsalgoritmer. De standard krypteringsalgorit- merna är RSA, ECDSA, SHA-256 och AES-128. De kinesiska krypteringsalgorit- merna är SM2, SM3 och SM4. Metod. En litteraturanalys har genomförts för att få en bättre förståelse av de valda algoritmerna. Ett experiment har genomförts för att samla mätvärden av de bestämda parametrarna och för att sedan kunna ranka mätvärdena. Resultat. Litteraturanalysen gav en jämförelse som identifierar likheter och skill- nader mellan algoritmerna. Det kontrollerade experimentet gav mätvärden av parame- trarna för algoritmerna nämnda i syftet. Slutsatser. Slutsatserna är att de digitala signatur-algoritmerna SM2 och ECDSA har liknade design och också liknade prestanda. SM2 och RSA har fundamentala skillnader i deras design, och SM2 har bättre prestanda vid nyckelgenerering samt signaturgenerering. Vid verifiering av signaturer så visar RSA likvärdig prestanda i vissa fall och sämre prestanda i andra fall. Hashfunktionerna SM3 och SHA-256 har också många likheter i sin design, men SHA-256 presterar lite bättre än SM3. AES-128 och SM3 har många design likheter men också några skillnader. I det kontrollerade experimentet så presterar AES-128 bättre än SM4 med stor marginal. Nyckelord: kryptering, prestanda, SM2, SM3, SM4 iii Acknowledgments Firstly, we would like to thank our supervisor Dragos Ilie for the support and guidance throughout our master thesis project. This thesis was supported by the Ericsson M- commerce department, which we thank for giving us the opportunity to do our master thesis with them. Here, we would like to thank our supervisor at Ericsson Mattias Liljeson for the interesting thesis subject and continuous feedback. We also give thanks to Alexander Mohlin for his guidance and assistance. Lastly, we would like to thank our manager Ulf Santesson, for all support and providing the resources. v Nomenclature AES Advanced Encryption Standard CBC Cipher Block Chaining Mode CPU Central Processing Unit CRT Chinese Remainder Theorem CTR Counter Mode DES Data Encryption Standard ECB Electronic Codebook Mode ECC Elliptic-Curve Cryptography ECDLP Elliptic Curve Discrete Logarithm Problem ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standard IEEE Institute of Electrical and Electronics Engineers IFP Integer Factorization Problem ISO International Organization for Standardization NIST National Institute of Standards and Technology OF AT One-Factor-at-a-Time OSCCA Office of State Commercial Cryptography Administration P SS Probabilistic Signature Scheme RSA Rivest–Shamir–Adleman RSS Resident Set Size SCA State Cryptography Administration SHA Secure Hash Algorithm SP N Substitution-Permutation Network UFN Unbalanced Feistel Network vii Contents Abstract i Sammanfattning iii Acknowledgments v Nomenclature vii 1 Introduction 1 1.1 Motivation . 1 1.2 Aim, Objectives, and Research Questions . 2 1.3 Decisions . 3 1.4 Scope and Limitations . 5 1.5 Thesis Outline . 6 2 Related Work 7 2.1 SM2 . 7 2.2 SM3 . 8 2.3 SM4 . 8 2.4 Cryptographic Algorithm Comparison . 9 2.5 Knowledge Gap . 9 3 Background 11 3.1 Cryptography Law in China . 11 3.2 Symmetric and Asymmetric Cryptosystems . 12 3.3 Confusion and Diffusion . 12 3.4 Elliptic Curve Cryptography . 13 3.5 Block Cipher Mode of Operation . 14 3.6 Algorithm Design . 16 4 Method 17 4.1 Literature Analysis . 17 4.1.1 Databases and Search Engines . 17 4.1.2 Procedures and Approaches . 17 4.1.3 Used Approach . 18 4.2 Controlled Experiment . 19 4.2.1 Libraries and Tools . 19 4.2.2 System Specification . 20 ix 4.2.3 Experiment Design . 20 4.2.4 Used Approach . 21 4.2.5 Distribution Analysis . 22 4.2.6 Mann-Whitney U test . 22 4.3 Validity . 23 4.3.1 Internal . 23 4.3.2 External . 24 4.3.3 Algorithm Implementations Verification . 24 5 Results 27 5.1 Literature Analysis . 27 5.1.1 Design Comparison of SM2, RSA, and ECDSA . 27 5.1.2 Design Comparison of SM3 and SHA-256 . 30 5.1.3 Design Comparison of SM4 and AES-128 . 32 5.2 Algorithm Results . 34 5.2.1 Digital Signature Results . 34 5.2.2 Hash Results . 38 5.2.3 Block Cipher results . 41 5.2.4 Relative Differences Between the Algorithms . 45 5.3 Distribution Analysis Results . 47 5.4 Mann-Whitney U Test Results . 50 6 Analysis and Discussion 51 6.1 Overall Performance Impact . 51 6.2 File size . 51 6.3 Distribution Analysis . 52 6.4 Performance . 52 6.4.1 Digital Signature Algorithms . 52 6.4.2 Hash Algorithms . 54 6.4.3 Block Cipher Algorithms . 54 6.5 Memory . 54 7 Conclusions and Future Work 57 7.1 Conclusion . 57 7.2 Future work . 59 References 61 A Algorithm Design 69 A.1 AES . 69 A.2 ECDSA . 75 A.3 RSA . 78 A.4 SHA-256 . 80 A.5 SM2 . 84 A.6 SM3 . 88 A.7 SM4 . 91 x B Mann Whitney U Test 95 B.1 Digital Signature . 95 B.2 Hash Function . 98 B.3 Block Cipher . 99 xi List of Figures 3.1 The ECB encryption and decryption. Figure adapted from figure 1 in [1]. 14 3.2 The CBC encryption and decryption. Figure adapted from figure 2 in [1]. 15 3.3 The CTR encryption and decryption. Figure adapted from figure 5 in [1]. 16 5.1 Digital signature real-time in Botan and GmSSL. 34 5.2 Digital signature CPU time in Botan and GmSSL. 35 5.3 Digital signature CPU cycles in Botan and GmSSL. 35 5.4 Digital signature RSS in Botan and GmSSL. 36 5.5 Hash algorithms real-time in Botan and OpenSSL. 38 5.6 Hash algorithms CPU time in Botan and OpenSSL. 39 5.7 Hash algorithms CPU cycles in Botan and OpenSSL. 39 5.8 Hash algorithms RSS in Botan and OpenSSL. 40 5.9 Block Ciphers real-time graphs in Botan and OpenSSL.
Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
  • Grøstl – a SHA-3 Candidate∗

    Grøstl – a SHA-3 Candidate∗

    Grøstl – a SHA-3 candidate∗ http://www.groestl.info Praveen Gauravaram1, Lars R. Knudsen1, Krystian Matusiewicz1, Florian Mendel2, Christian Rechberger2, Martin Schl¨affer2, and Søren S. Thomsen1 1Department of Mathematics, Technical University of Denmark, Matematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark 2Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria January 15, 2009 Summary Grøstl is a SHA-3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grøstl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl. Grøstl is a so-called wide-pipe construction where the size of the internal state is signifi- cantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grøstl has good performance on a wide range of platforms, and counter-measures against side-channel attacks are well-understood from similar work on the AES.
  • Environmental DNA Reveals the Fine-Grained and Hierarchical

    Environmental DNA Reveals the Fine-Grained and Hierarchical

    www.nature.com/scientificreports OPEN Environmental DNA reveals the fne‑grained and hierarchical spatial structure of kelp forest fsh communities Thomas Lamy 1,2*, Kathleen J. Pitz 3, Francisco P. Chavez3, Christie E. Yorke1 & Robert J. Miller1 Biodiversity is changing at an accelerating rate at both local and regional scales. Beta diversity, which quantifes species turnover between these two scales, is emerging as a key driver of ecosystem function that can inform spatial conservation. Yet measuring biodiversity remains a major challenge, especially in aquatic ecosystems. Decoding environmental DNA (eDNA) left behind by organisms ofers the possibility of detecting species sans direct observation, a Rosetta Stone for biodiversity. While eDNA has proven useful to illuminate diversity in aquatic ecosystems, its utility for measuring beta diversity over spatial scales small enough to be relevant to conservation purposes is poorly known. Here we tested how eDNA performs relative to underwater visual census (UVC) to evaluate beta diversity of marine communities. We paired UVC with 12S eDNA metabarcoding and used a spatially structured hierarchical sampling design to assess key spatial metrics of fsh communities on temperate rocky reefs in southern California. eDNA provided a more‑detailed picture of the main sources of spatial variation in both taxonomic richness and community turnover, which primarily arose due to strong species fltering within and among rocky reefs. As expected, eDNA detected more taxa at the regional scale (69 vs. 38) which accumulated quickly with space and plateaued at only ~ 11 samples. Conversely, the discovery rate of new taxa was slower with no sign of saturation for UVC.
  • Correlation Power Attack on a Message Authentication Code Based on SM3∗

    Correlation Power Attack on a Message Authentication Code Based on SM3∗

    930 Yuan et al. / Front Inform Technol Electron Eng 2019 20(7):930-945 Frontiers of Information Technology & Electronic Engineering www.jzus.zju.edu.cn; engineering.cae.cn; www.springerlink.com ISSN 2095-9184 (print); ISSN 2095-9230 (online) E-mail: [email protected] Correlation power attack on a message authentication code based on SM3∗ Ye YUAN†1,2,Kai-geQU†‡1,2,Li-jiWU†‡1,2,Jia-weiMA3, Xiang-min ZHANG†1,2 1Institute of Microelectronics, Tsinghua University, Beijing 100084, China 2National Laboratory for Information Science and Technology, Tsinghua University, Beijing 100084, China 3State Key Laboratory of Cryptography, Beijing 100094, China †E-mail: [email protected]; [email protected]; [email protected]; [email protected] Received May 19, 2018; Revision accepted July 30, 2018; Crosschecked July 12, 2019 Abstract: Hash-based message authentication code (HMAC) is widely used in authentication and message integrity. As a Chinese hash algorithm, the SM3 algorithm is gradually winning domestic market value in China. The side channel security of HMAC based on SM3 (HMAC-SM3) is still to be evaluated, especially in hardware implementa- tion, where only intermediate values stored in registers have apparent Hamming distance leakage. In addition, the algorithm structure of SM3 determines the difficulty in HMAC-SM3 side channel analysis. In this paper, a skillful bit-wise chosen-plaintext correlation power attack procedure is proposed for HMAC-SM3 hardware implementation. Real attack experiments on a field programmable gate array (FPGA) board have been performed. Experimental results show that we can recover the key from the hypothesis space of 2256 based on the proposed procedure.
  • Security Analysis for MQTT in Internet of Things

    Security Analysis for MQTT in Internet of Things

    DEGREE PROJECT IN COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2018 Security analysis for MQTT in Internet of Things DIEGO SALAS UGALDE KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Security analysis for MQTT in Internet of Things DIEGO SALAS UGALDE Master in Network Services and Systems Date: November 22, 2018 Supervisor: Johan Gustafsson (Zyax AB) Examiner: Panos Papadimitratos (KTH) Swedish title: Säkerhet analys för MQTT i IoT School of Electrical Engineering and Computer Science iii Abstract Internet of Things, i.e. IoT, has become a very trending topic in re- search and has been investigated in recent years. There can be several different scenarios and implementations where IoT is involved. Each of them has its requirements. In these type IoT networks new com- munication protocols which are meant to be lightweight are included such as MQTT. In this thesis there are two key aspects which are under study: secu- rity and achieving a lightweight communication. We want to propose a secure and lightweight solution in an IoT scenario using MQTT as the communication protocol. We perform different experiments with different implementations over MQTT which we evaluate, compare and analyze. The results obtained help to answer our research questions and show that the proposed solution fulfills the goals we proposed in the beginning of this work. iv Sammanfattning "Internet of Things", dvs IoT, har blivit ett mycket trenderande ämne inom forskning och har undersökts de senaste åren. Det kan finnas flera olika scenarier och implementeringar där IoT är involverad. Var och en av dem har sina krav.
  • On the Design and Performance of Chinese OSCCA-Approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping He† and Dragos Ilie‡ Dept

    On the Design and Performance of Chinese OSCCA-Approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping He† and Dragos Ilie‡ Dept

    On the Design and Performance of Chinese OSCCA-approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping Hey and Dragos Iliez Dept. of Computer Science Blekinge Institute of Technology (BTH), Karlskrona, Sweden ∗[email protected], yping95 @hotmail.com, [email protected] Abstract—SM2, SM3, and SM4 are cryptographic standards in transit and at rest [4]. The law, which came into effect authorized to be used in China. To comply with Chinese cryp- on January 1, 2020, divides encryption into three different tography laws, standard cryptographic algorithms in products categories: core, ordinary and commercial. targeting the Chinese market may need to be replaced with the algorithms mentioned above. It is important to know beforehand Core and ordinary encryption are used for protecting if the replaced algorithms impact performance. Bad performance China’s state secrets at different classification levels. Both may degrade user experience and increase future system costs. We present a performance study of the standard cryptographic core and ordinary encryption are considered state secrets and algorithms (RSA, ECDSA, SHA-256, and AES-128) and corre- thus are strictly regulated by the SCA. It is therefore likely sponding Chinese cryptographic algorithms. that these types of encryption will be based on the national Our results indicate that the digital signature algorithms algorithms mentioned above, so that SCA can exercise full SM2 and ECDSA have similar design and also similar perfor- control over standards and implementations. mance. SM2 and RSA have fundamentally different designs. SM2 performs better than RSA when generating keys and Commercial encryption is used to protect information that signatures. Hash algorithms SM3 and SHA-256 have many design similarities, but SHA-256 performs slightly better than SM3.
  • A (Second) Preimage Attack on the GOST Hash Function

    A (Second) Preimage Attack on the GOST Hash Function

    A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria [email protected] Abstract. In this article, we analyze the security of the GOST hash function with respect to (second) preimage resistance. The GOST hash function, defined in the Russian standard GOST-R 34.11-94, is an iter- ated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterated structure, a check- sum computed over all input message blocks. This checksum is then part of the final hash value computation. For this hash function, we show how to construct second preimages and preimages with a complexity of about 2225 compression function evaluations and a memory requirement of about 238 bytes. First, we show how to construct a pseudo-preimage for the compression function of GOST based on its structural properties. Second, this pseudo- preimage attack on the compression function is extended to a (second) preimage attack on the GOST hash function. The extension is possible by combining a multicollision attack and a meet-in-the-middle attack on the checksum. Keywords: cryptanalysis, hash functions, preimage attack 1 Introduction A cryptographic hash function H maps a message M of arbitrary length to a fixed-length hash value h. A cryptographic hash function has to fulfill the following security requirements: – Collision resistance: it is practically infeasible to find two messages M and M ∗, with M ∗ 6= M, such that H(M) = H(M ∗).
  • A Framework for Fully-Simulatable H-Out-Of-N Oblivious Transfer

    A Framework for Fully-Simulatable H-Out-Of-N Oblivious Transfer

    1 A Framework For Fully-Simulatable h-Out-Of-n Oblivious Transfer Zeng Bing, Tang Xueming, and Chingfang Hsu ✦ Abstract—We present a framework for fully-simulatable h-out-of-n where i1 < i2 <...<ih 6 n. The receiver expects to oblivious transfer (OT n) with security against non-adaptive malicious h get the messages mi1 ,mi2 ,...,mih without leaking any adversaries. The framework costs six communication rounds and costs information about his private input, i.e., the h positive at most 40n public-key operations in computational overhead. Com- integers he holds. The sender expects all new knowledge pared with the known protocols for fully-simulatable oblivious transfer that works in the plain mode (where there is no trusted common learned by the receiver from their interaction is at most reference string available) and proven to be secure under standard h messages. Obviously, the OT most literature refer to is 2 n model (where there is no random oracle available), the instantiation OT1 and can be viewed as a special case of OTh . based on the decisional Diffie-Hellman assumption of the framework is Considering a variety of attack we have to confront the most efficient one, no matter seen from communication rounds or n in real environment, a protocol for OTh with security computational overhead. against malicious adversaries (a malicious adversary Our framework uses three abstract tools, i.e., perfectly binding com- mitment, perfectly hiding commitment and our new smooth projective may act in any arbitrary malicious way to learn as much hash. This allows a simple and intuitive understanding of its security.
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1,ThomasPeyrin2,ChristianRechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected], [email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl,andECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation1 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher. 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts’ disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
  • RFC 8998: Shangmi (SM) Cipher Suites for TLS

    RFC 8998: Shangmi (SM) Cipher Suites for TLS

    Stream: Independent Submission RFC: 8998 Category: Informational Published: March 2021 ISSN: 2070-1721 Author: P. Yang Ant Group RFC 8998 ShangMi (SM) Cipher Suites for TLS 1.3 Abstract This document specifies how to use the ShangMi (SM) cryptographic algorithms with Transport Layer Security (TLS) protocol version 1.3. The use of these algorithms with TLS 1.3 is not endorsed by the IETF. The SM algorithms are becoming mandatory in China, so this document provides a description of how to use the SM algorithms with TLS 1.3 and specifies a profile of TLS 1.3 so that implementers can produce interworking implementations. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8998. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.
  • Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2

    Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2

    Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 Jian Guo1, San Ling1, Christian Rechberger2, and Huaxiong Wang1 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Dept. of Electrical Engineering ESAT/COSIC, K.U.Leuven, and Interdisciplinary Institute for BroadBand Technology (IBBT), Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium. [email protected] Abstract. We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meet-in-the-middle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithm-specific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multi-target scenarios into the MITM framework, leading to faster preimages from pseudo-preimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudo-preimage, and (3) probabilistic initial structures, to reduce the attack time complexity.
  • Trusted Platform Module Library Part 1: Architecture TCG Public Review

    Trusted Platform Module Library Part 1: Architecture TCG Public Review

    Trusted Platform Module Library Part 1: Architecture Family “2.0” Level 00 Revision 01.50 September 18, 2018 Committee Draft Contact: [email protected] Work in Progress This document is an intermediate draft for comment only and is subject to change without notice. Readers should not design products based on this document. TCG Public Review Copyright © TCG 2006-2019 TCG Trusted Platform Module Library Part 1: Architecture Licenses and Notices Copyright Licenses: Trusted Computing Group (TCG) grants to the user of the source code in this specification (the “Source Code”) a worldwide, irrevocable, nonexclusive, royalty free, copyright license to reproduce, create derivative works, distribute, display and perform the Source Code and derivative works thereof, and to grant others the rights granted herein. The TCG grants to the user of the other parts of the specification (other than the Source Code) the rights to reproduce, distribute, display, and perform the specification solely for the purpose of developing products based on such documents. Source Code Distribution Conditions: Redistributions of Source Code must retain the above copyright licenses, this list of conditions and the following disclaimers. Redistributions in binary form must reproduce the above copyright licenses, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution. Disclaimers: THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES) THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE. Contact TCG Administration ([email protected]) for information on specification licensing rights available through TCG membership agreements.