Practical Collisions for Widea-8

Total Page:16

File Type:pdf, Size:1020Kb

Practical Collisions for Widea-8 PRACTICAL COLLISIONS FOR WIDEA-8 Kerem Varıcı KU Leuven / COSIC Session ID: CRYP-R31 Session Classification: Advanced OUTLINE ► Introduction ► Collisions for the WIDEA-8 ► Results and Remarks ▶ Presenter Logo OUTLINE ► Introduction ► Collisions for the WIDEA-8 ► Results and Remarks ▶ Presenter Logo Introduction ( WIDEA ) ► Widea - a family of block ciphers ► Inspired by IDEA block cipher ► Designed by Junod and Macchetti ► Presented in FSE’09 ► Suggested to use as compression function for hash function in Davies - Mayer mode ► Competitive efciency with most of the hash functions ▶ Presenter Logo IDEA X1 X2 X3 X4 (1) (1) (1) (1) Z1 Z2 Z3 Z4 ► Designed by Lai and Massey in 1991 (1) Z5 ► 64-bit block size (1) Z6 ► 128-bit key size ► 8.5 rounds ► Widely implemented ► 20+ security analysis ( 7 more rounds ) ► Secure except weak keys (9) (9) (9) (9) Z1 Z2 Z3 Z4 Y1 Y2 Y3 Y4 ▶ Presenter Logo (i) (i) (i) (i) x0,1 x1,1 x2,1 x3,1 WIDEA-n (i) (i) (i) (i) x0,n x1,n x2,n x3,n Z0,1 Z1,1 Z2,1 Z3,1 ► Composed of n parallel Z0,n Z1,n Z2,n Z3,n applications of IDEA connected with an MDS matrix. Z4,1 MA-Box Z4,n ► 64×n bits block size MDS Z5,1 ► 64×2n key size Z5,n ► 8.5 rounds (i+1) (i+1) x2,1 x3,1 (i+1) (i+1) (i+1) (i+1) x0,n x1,n x2,n x3,n ▶ Presenter Logo Davies-Meyer Mode ► Proposed to construct hash functions from block ciphers ► Most widely used hash functions, including MD5, SHA-1 and mi SHA-2 use this construction hi 1 hi − ▶ Presenter Logo OUTLINE ► Introduction ► Collisions for the WIDEA-8 ► Attack strategy ► Application of theory to practice ► Extending the attack to full WIDEA-8 ► Results and Remarks ▶ Presenter Logo Attack strategy - I I I 0 I ▶ Presenter Logo Attack strategy - II Characteristic Z1 Z4 Z5 Z6 (0,0,0,△) ⇒ (△,△,△,0) - ±1 - ±1 X1 X2 X3 X4 (0,0,△,0) ⇒ (△,0,0,0) - - ±1 ±1 (1) (1) (1) (1) (0,0,△,△) ⇒ (0,△,△,0) - ±1 ±1 - Z1 Z2 Z3 Z4 (0,△,0,0) ⇒ (△,△,0,△) - - - ±1 (0,△,0,△) ⇒ (0,0,△,△) - ±1 - - (0,△,△,0) ⇒ (0,△,0,△) - - ±1 - (1) Z5 (0,△,△,△) ⇒ (△,0,△,△) - ±1 ±1 ±1 (△,0,0,0) ⇒) (0,△,0,0) ±1 - ±1 ±1 Z(1) 6 (△,0,0,△) ⇒ (△,0,△,0) ±1 ±1 ±1 - (△,0,△,0) ⇒ (△,△,0,0) ±1 - - - (△,0,△,△) ⇒ (0,0,△,0) ±1 ±1 - ±1 (△,△,0,0) ⇒ (△,0,0,△) ±1 - ±1 - (△,△,0,△) ⇒ (0,△,△,△) ±1 ±1 ±1 ±1 ( 7 more rounds ) (△,△,△,0) ⇒ (0,0,0,△) ±1 - - ±1 (△,△,△,△) ⇒ (△,△,△,△) ±1 ±1 - - ▶ Presenter (9) (9) (9) (9) Z1 Z2 Z3 Z4 Logo Y1 Y2 Y3 Y4 Attack strategy - III Observation 1 The parallel instances of IDEA are only connected by the MDS matrix in the MA- box and hence if we can find a characteristic for one lane where the MA-box is never active, the attack is reduced of attacking only MDS one lane instead of all eight. Observation 2 Given any eight consecutive subkeys {Zi+1, Zi+2, ..., Zi+8} it is possible to construct the whole set of subkeys. ▶ Presenter Logo Theory to practice ∆ ∆ ∆ ∆ Z0,1 Z1,1 Z2,1 Z3,1 Z0,n Z1,n Z2,n Z3,n Z4,1 Z4,n MDS Z5,1 Z5,n ∆ ∆ ∆ ∆ ▶ Presenter Logo Extending the attack to full WIDEA-8 ∆ ∆ ∆ ∆ Z0,1 Z1,1 Z2,1 Z3,1 Z0,n Z1,n Z2,n Z3,n Z4,1 Z4,n MDS Z5,1 Z5,n ∆ ∆ ∆ ∆ ▶ Presenter Logo Extending the attack to full WIDEA-8 ▶ Presenter Logo Collision Example ▶ Presenter Logo Results target rounds time attack type comp. function 7 1 free-start collision comp. function 8.5 (full) 1 free-start near-collision comp. function 8.5 (full) 213.53 free-start collision ▶ Presenter Logo ANY QUESTIONS ? Finding Collisions for Round-Reduced SM3 Florian Mendel, Tomislav Nad, Martin Schlaffer¨ Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria [email protected] CT-RSA 2013 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 1 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 2 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 3 / 30 The MD4 Family of Hash Functions MD4 MD5 SHA-0 HAVAL RIPEMD SHA-1 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 SM3 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-1287 RIPEMD-1603 SHA-2243 SHA-2563 SHA-3843 SHA-5123 SM3 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-1287 RIPEMD-1603 SHA-2243 SHA-2563 SHA-3843 SHA-5123 ?SM3 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 5 / 30 Hash Functions Some arbitrary length input message. H(M) 19BDAF403B3 Protect short hash value instead of long text. Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 6 / 30 Main Security Requirements Preimage Resistance given h(m) find m generic complexity:2 n Second-Preimage Resistance given m; h(m) find m0 with m = m0 and h(m) = h(m0) generic complexity:2 n 6 Collision Resistance find m; m0 with m = m0 and h(m) = h(m0) generic complexity:6 2 n=2 No non-random properties Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 7 / 30 Iterated Hash Function Construction M1 M2 M3 Mt IV f f f f g H(m) w w w w n Most hash functions use some kind of iteration compression function f output transformation g chaining value size w n ≥ Strength depends on f , g, w smaller w needs stronger f Analyze building blocks collision resistance of f non-random properties of f Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 8 / 30 free-start collision: attacker can choose difference and value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi0 1); Mi = Mi0; Hi 1 = Hi0 1 − − 6 − 6 − Collisions on the Compression Function M = M0 i 6 i f Hi 1 Hi − semi-free-start collision: attacker can choose value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi 1); Mi = Mi0 − − 6 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 9 / 30 Collisions on the Compression Function M = M0 i 6 i f Hi 1 = Hi0 1 Hi − 6 − semi-free-start collision: attacker can choose value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi 1); Mi = Mi0 − − 6 free-start collision: attacker can choose difference and value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi0 1); Mi = Mi0; Hi 1 = Hi0 1 − − 6 − 6 − Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 9 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 10 / 30 Collision Attacks m = m 6 ∗ H H H(m) = H(m∗) Find two different messages which result in the same hash value: m = m∗ with H(m) = H(m∗) 6 Birthday effect applies: 2n=2 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 11 / 30 Collision Attacks (Differential View) m = m ∆m = 0 6 ∗ 6 H H ⇐⇒ H H(m) = H(m∗) H(∆m) = 0 Find two different messages which result in the same hash m; ∆m with ∆m = 0 and H(∆m) = 0 6 Usually XOR differences are used: ∆m = m m∗ and H(∆m) = H(m) H(m∗) ⊕ ⊕ Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 12 / 30 Differential Characteristic How to find m, ∆m? Find differential characteristic (trail, path) using (semi-) automatic tools determines ∆m holds with high probability P try 1=P random messages How to find m more efficiently? we can choose m according to characteristic invert equations in first steps of hash function called message modification Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 13 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 14 / 30 SM3: too complex to draw :-( Design Complexity of the MD4 Family Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 15 / 30 Design Complexity of the MD4 Family SM3: too complex to draw :-( Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 15 / 30 The Hash Function SM3 Chinese hash function standard [Chi] (Chinese Commercial Cryptography Administration Office) Designed by Wang et al.
Recommended publications
  • Correlation Power Attack on a Message Authentication Code Based on SM3∗
    930 Yuan et al. / Front Inform Technol Electron Eng 2019 20(7):930-945 Frontiers of Information Technology & Electronic Engineering www.jzus.zju.edu.cn; engineering.cae.cn; www.springerlink.com ISSN 2095-9184 (print); ISSN 2095-9230 (online) E-mail: [email protected] Correlation power attack on a message authentication code based on SM3∗ Ye YUAN†1,2,Kai-geQU†‡1,2,Li-jiWU†‡1,2,Jia-weiMA3, Xiang-min ZHANG†1,2 1Institute of Microelectronics, Tsinghua University, Beijing 100084, China 2National Laboratory for Information Science and Technology, Tsinghua University, Beijing 100084, China 3State Key Laboratory of Cryptography, Beijing 100094, China †E-mail: [email protected]; [email protected]; [email protected]; [email protected] Received May 19, 2018; Revision accepted July 30, 2018; Crosschecked July 12, 2019 Abstract: Hash-based message authentication code (HMAC) is widely used in authentication and message integrity. As a Chinese hash algorithm, the SM3 algorithm is gradually winning domestic market value in China. The side channel security of HMAC based on SM3 (HMAC-SM3) is still to be evaluated, especially in hardware implementa- tion, where only intermediate values stored in registers have apparent Hamming distance leakage. In addition, the algorithm structure of SM3 determines the difficulty in HMAC-SM3 side channel analysis. In this paper, a skillful bit-wise chosen-plaintext correlation power attack procedure is proposed for HMAC-SM3 hardware implementation. Real attack experiments on a field programmable gate array (FPGA) board have been performed. Experimental results show that we can recover the key from the hypothesis space of 2256 based on the proposed procedure.
    [Show full text]
  • On the Design and Performance of Chinese OSCCA-Approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping He† and Dragos Ilie‡ Dept
    On the Design and Performance of Chinese OSCCA-approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping Hey and Dragos Iliez Dept. of Computer Science Blekinge Institute of Technology (BTH), Karlskrona, Sweden ∗[email protected], yping95 @hotmail.com, [email protected] Abstract—SM2, SM3, and SM4 are cryptographic standards in transit and at rest [4]. The law, which came into effect authorized to be used in China. To comply with Chinese cryp- on January 1, 2020, divides encryption into three different tography laws, standard cryptographic algorithms in products categories: core, ordinary and commercial. targeting the Chinese market may need to be replaced with the algorithms mentioned above. It is important to know beforehand Core and ordinary encryption are used for protecting if the replaced algorithms impact performance. Bad performance China’s state secrets at different classification levels. Both may degrade user experience and increase future system costs. We present a performance study of the standard cryptographic core and ordinary encryption are considered state secrets and algorithms (RSA, ECDSA, SHA-256, and AES-128) and corre- thus are strictly regulated by the SCA. It is therefore likely sponding Chinese cryptographic algorithms. that these types of encryption will be based on the national Our results indicate that the digital signature algorithms algorithms mentioned above, so that SCA can exercise full SM2 and ECDSA have similar design and also similar perfor- control over standards and implementations. mance. SM2 and RSA have fundamentally different designs. SM2 performs better than RSA when generating keys and Commercial encryption is used to protect information that signatures. Hash algorithms SM3 and SHA-256 have many design similarities, but SHA-256 performs slightly better than SM3.
    [Show full text]
  • RFC 8998: Shangmi (SM) Cipher Suites for TLS
    Stream: Independent Submission RFC: 8998 Category: Informational Published: March 2021 ISSN: 2070-1721 Author: P. Yang Ant Group RFC 8998 ShangMi (SM) Cipher Suites for TLS 1.3 Abstract This document specifies how to use the ShangMi (SM) cryptographic algorithms with Transport Layer Security (TLS) protocol version 1.3. The use of these algorithms with TLS 1.3 is not endorsed by the IETF. The SM algorithms are becoming mandatory in China, so this document provides a description of how to use the SM algorithms with TLS 1.3 and specifies a profile of TLS 1.3 so that implementers can produce interworking implementations. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8998. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document.
    [Show full text]
  • Introduction to the Commercial Cryptography Scheme in China
    Introduction to the Commercial Cryptography Scheme in China atsec China Di Li Yan Liu [email protected] [email protected] +86 138 1022 0119 +86 139 1072 6424 6 November 2015, Washington DC, U.S. © atsec information security, 2015 Disclaimer atsec China is an independent lab specializing in IT security evaluations. The authors do not represent any Chinese government agency or Chinese government-controlled lab. All information used for this presentation is publicly available on the Internet, despite the fact that most of them are in Chinese. 6 November 2015, Washington DC, U.S. 2 Agenda § Background on commercial cryptography in China § Product certification list § Published algorithms and standards § Certification scheme § Conclusions 6 November 2015, Washington DC, U.S. 3 What is “Commercial Cryptography”? 6 November 2015, Washington DC, U.S. 4 OSCCA and Commercial Cryptography − What is “Commercial Cryptography” in China? − “Commercial Cryptography” is a set of algorithms and standards used in the commercial area, e.g. banks, telecommunications, third party payment gateways, enterprises, etc. … − In this area, only “Commercial Cryptography” certified products can be used. − Constituted by the Chinese Academy of Science (CAS) − Issued and regulated by the Office of the State Commercial Cryptography Administration (OSCCA) − Established in 1999 − Testing lab setup in 2005 6 November 2015, Washington DC, U.S. 5 OSCCA Certified Product List Certified product list (1322 items): http://www.oscca.gov.cn/News/201510/News_1310.htm 6 November 2015, Washington DC, U.S. 6 Certified Products and Its Use − Security IC chip − Password keypad − Hardware token including Public Key Infrastructure (PKI), One Time Password (OTP), and its supporting system − Hardware security machine / card − Digital signature and verification system − IPSEC / SSL VPN Gateway − Value Added Tax (VAT) audit system 6 November 2015, Washington DC, U.S.
    [Show full text]
  • TCG Algorithm Registry Family "2.0"
    TCG Algorithm Registry Family “2.0" Level 00 Revision 01.22 February 9, 2015 Published Contact: [email protected] TCG Published TCG Copyright © TCG 2015 TCG Algorithm Registry Disclaimers, Notices, and License Terms THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Without limitation, TCG disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this specification and to the implementation of this specification, and TCG disclaims all liability for cost of procurement of substitute goods or services, lost profits, loss of use, loss of data or any incidental, consequential, direct, indirect, or special damages, whether under contract, tort, warranty or otherwise, arising in any way out of use or reliance upon this specification or any information herein. This document is copyrighted by Trusted Computing Group (TCG), and no license, express or implied, is granted herein other than as follows: You may not copy or reproduce the document or distribute it to others without written permission from TCG, except that you may freely do so for the purposes of (a) examining or implementing TCG specifications or (b) developing, testing, or promoting information technology standards and best practices, so long as you distribute the document with these disclaimers, notices, and license terms. Contact the Trusted Computing Group at www.trustedcomputinggroup.org for information on specification licensing through membership agreements. Any marks and brands contained herein are the property of their respective owners.
    [Show full text]
  • Safenet USB HSM 6.3 SDK Reference Guide Document Information
    SafeNet USB HSM 6.3 SDK Reference Guide Document Information Product Version 6.3 Document Part Number 007-011302-015 Release Date 14 July 2017 Revision History Revision Date Reason A 14 July 2017 Initial release. Trademarks, Copyrights, and Third-Party Software Copyright 2001-2017 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. Acknowledgements This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org) This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). This product includes software developed by the University of California, Berkeley and its contributors. This product uses Brian Gladman’s AES implementation. Refer to the End User License Agreement for more information. Disclaimer All information herein is either public information or is the property of and owned solely by Gemalto and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information. This document can be used for informational, non-commercial, internal, and personal use only provided that: • The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all copies.
    [Show full text]
  • Hardware Performance Optimization and Evaluation of SM3 Hash Algorithm on FPGA
    Hardware Performance Optimization and Evaluation of SM3 Hash Algorithm on FPGA Yuan Ma 1,2,, Luning Xia1, Jingqiang Lin1, Jiwu Jing1, Zongbin Liu1, and Xingjie Yu1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing, China 2 Graduate University of Chinese Academy of Sciences, Beijing, China {yma,halk,linjq,jing,zbliu,xjyu}@lois.cn Abstract. Hash algorithms are widely used for data integrity and au- thenticity. Chinese government recently published a standard hash algo- rithm, SM3, which is highly recommended for commercial applications. However, little research of SM3 implementation has been published. We find that the existing optimization techniques cannot be adopted to SM3 efficiently, due to the complex computation and strong data dependency. In this paper, we present our novel optimization techniques: shift ini- tialization and SRL-based implementation. Based on the techniques, we propose two architectures: compact design and high-throughput design, both of which significantly improve the performance on FPGA. As far as we know, our work is the first one to evaluate SM3 hardware perfor- mance. The evaluation result suggests that SM3 with low area and high efficiency is suitable for hardware implementations, especially for those resource-limited platforms. Keywords: SM3, hash algorithm, FPGA, optimization, hardware per- formance evaluation. 1 Introduction At present, the performance in hardware has been demonstrated to be an impor- tant factor in the evaluation of cryptographic algorithms. The ASIC (Application- Specific Integrated Circuit) and FPGA (Field-Programmable Gate Array) are two common hardware devices for cryptographic implementations. FPGA implemen- tation has become more and more popular recently since it is reconfigurable and relatively flexible.
    [Show full text]
  • Improved Boomerang Attacks on Round-Reduced SM3 and Keyed Permutation of BLAKE-256
    Improved Boomerang Attacks on Round-Reduced SM3 and Keyed Permutation of BLAKE-256? Dongxia Bai1, Hongbo Yu1??, Gaoli Wang2, Xiaoyun Wang3;4;5 1 Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China [email protected], [email protected] 2 School of Computer Science and Technology, Donghua University, Shanghai 201620, China [email protected] 3 Institute for Advanced Study, Tsinghua University, Beijing 100084, China 4 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China 5 School of Mathematics, Shandong University, Jinan 250100, China [email protected] Abstract. In this paper we study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by J.-P. Aumasson et al. For SM3, we present boomerang distinguishers for the compression function reduced to 34/35/36/37 steps out of 64 steps, with time complexities 231:4, 233:6, 273:4 and 2192 respectively. Then we show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, we launch boomerang attacks on up to 7 and 8 rounds keyed permutation of BLAKE-256 which are the first valid 7-round and 8-round boomerangs for BLAKE-256. Especially, since our distinguishers on 34/35-step compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, we are able to obtain boomerang quartets of these attacks.
    [Show full text]
  • Intel® Integrated Performance Primitives Cryptography Developer Reference
    Intel® Integrated Performance Primitives Cryptography Developer Reference Intel Integrated Performance Primitives 2018 Legal Information Contents Contents Legal Information.............................................................................. 13 Getting Help and Support................................................................... 15 Introducing Intel® Integrated Performance Primitives Cryptography..................................................................................17 What's New........................................................................................ 19 Notational Conventions...................................................................... 21 Related Products................................................................................ 23 Chapter 1: Overview Basic Features......................................................................................... 25 Function Context Structures...................................................................... 25 Data Security Considerations..................................................................... 26 Chapter 2: Symmetric Cryptography Primitive Functions Block Cipher Modes of Operation................................................................27 Rijndael Functions....................................................................................28 AESGetSize.....................................................................................28 AESInit...........................................................................................29
    [Show full text]
  • Level 3 Non-Proprietary Security Policy For
    LEVEL 3 NON-PROPRIETARY SECURITY POLICY FOR SafeNet Luna K7+ Cryptographic Module (Used as a standalone device and as an embedded device in a SafeNet Luna Network HSM configured to use PED or Password Authentication) (FIPS 140-2 Physical Security Level 4) DOCUMENT NUMBER: 002-010937-001 REVISION LEVEL: H REVISION DATE: May 7, 2018 SECURITY LEVEL: Non-Proprietary © Copyright 2018 Gemalto. ALL RIGHTS RESERVED This document may be freely reproduced and distributed whole and intact including this copyright notice. Gemalto reserves the right to make changes in the product or its specifications mentioned in this publication without notice. Accordingly, the reader is cautioned to verify that information in this publication is current before placing orders. The information furnished by Gemalto in this document is believed to be accurate and reliable. However, no responsibility is assumed by Gemalto for its use, or for any infringements of patents or other rights of third parties resulting from its use. Document is Uncontrolled When Printed. 002-010937-001 Revision Level: H PREFACE This document deals only with operations and capabilities of the SafeNet Luna K7+ Cryptographic Module and SafeNet Luna K7+ Cryptographic Module for SafeNet Luna Network HSM in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the SafeNet HSMs and other Gemalto products from the following sources: The Gemalto internet site contains information on the full line of security products at https://safenet.gemalto.com. For answers to technical or sales related questions please refer to the contacts listed below or on the Gemalto internet site at https://safenet.gemalto.com/contact-us/.
    [Show full text]
  • Intel® Integrated Performance Primitives Cryptography
    Intel® Integrated Performance Primitives Cryptography Developer Reference Notices and Disclaimers Intel® Integrated Performance Primitives Cryptography Developer Reference Contents Notices and Disclaimers..................................................................... 11 Getting Help and Support................................................................... 12 Introducing Intel® Integrated Performance Primitives Cryptography ................................................................................. 13 What's New ....................................................................................... 14 Notational Conventions...................................................................... 15 Related Products ............................................................................... 16 Chapter 1: Overview Basic Features ........................................................................................ 17 Function Context Structures...................................................................... 17 Data Security Considerations .................................................................... 18 Chapter 2: Symmetric Cryptography Primitive Functions Block Cipher Modes of Operation ............................................................... 19 Rijndael Functions ................................................................................... 20 AESGetSize .................................................................................... 20 AESInit .........................................................................................
    [Show full text]
  • A Differential Power Analysis Attack on Dynamic Password Token Based on SM3 Algorithm
    First International Conference on Information Science and Electronic Technology (ISET 2015) A Differential Power Analysis Attack on Dynamic Password Token Based On SM3 Algorithm Limin Guo, Qing Li, Lihui Wang, Zhimin Zhang, Dan Liu, Weijun Shan Shanghai Fudan Microelectronics Group Company Limited, Shanghai, 200433, China E-mail: [email protected] Abstract—Dynamic password technology is one of the most Futhermore, it is recommended to use SM3 hash function to widely utilized methods for identity authentication. The security generate dynamic password in China. Thus, it is of great of dynamic password system depends on the cryptographic importance to study on the security of dynamic password strength of the underlying hash function. And SM3 is the only token based on SM3 algorithm. Many side channel attacks on standard hash algorithm of China. However, most cryptographic hash algorithm have been reported already. Many hash algorithm implementations are vulnerable against side channel algorithms are based on the mixing of different algebraic attacks. But specific side channel attacks on dynamic password operations. Lemke et al. [6] introduced a side channel attack token based on SM3 hash function have not been given so far. on the basic group operations, such as XOR, addition modulo This paper presents a differential power analysis attack on 2n and modular multiplication using multi-bit selection dynamic password token based on SM3 algorithm. SM3 hash functions. Okeya et al. [7] [8] evaluated the security of algorithm is based on the mixing of different algebraic operations, such as XOR and addition modulo 232, thus the proposed DPA HMAC algorithm based on block-cipher based hash functions.
    [Show full text]