DOCSLIB.ORG

Analysis and Design of Authenticated Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis and Design of Authenticated Ciphers This document is downloaded from DR‑NTU (https://dr.ntu.edu.sg) Nanyang Technological University, Singapore. Analysis and design of authenticated ciphers Huang, Tao 2016 Huang, T. (2016). Analysis and design of authenticated ciphers. Doctoral thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/65961 https://doi.org/10.32657/10356/65961 Downloaded on 25 Sep 2021 13:22:21 SGT Analysis and Design of Authenticated Ciphers Tao Huang 2016 Analysis and Design of Authenticated Ciphers Tao Huang School of Physical and Mathematical Sciences 2016 Analysis and Design of Authenticated Ciphers Tao Huang School of Physical and Mathematical Sciences A thesis submitted to Nanyang Technological University in partial fulllment of the requirement for the degree of Doctor of Philosophy 2016 Acknowledgments First of all, I would like to express my deepest gratitude to my supervisor, Prof Wu Hongjun, for introducing me to cryptography, for inspiring and encouraging me to explore various research topics, for providing me with all kinds of oppor- tunities to communicate with researchers in many conferences and workshops. I am also deeply appreciative for his instructive guidance and numerous helpful discussion and suggestions. I would like to thank Prof Xing Chaoping for supervising my undergraduate research project and encouraging me for my graduate study. I am very grateful to meet Thomas Peyrin, Axel Poschmann and my seniors Guo Jian and Wei Lei when I began my PhD study in NTU. I learned a lot in the reading group discussions. I am also pleased to thank Yu hongbo, Yu Sasaki, Wang Meiqin, Wu Wenling, Wu Shengbao, Lu Jiqiang for interesting discussions on various topics in the con- ferences and workshops. I am also delighted to have Lim Hoon Wei, Punarbasu Purkayastha, Su Le, Zhang Luchan, Ong Soon Sheng, Deng Yi, Hou Xiaolu, Wang Chenyu, Wang Jing, Tan Ming Ming as my labmates and friends in Singapore. And I am thankful to Pi Shuang for our long lasting friendships from middle school. Finally, I want to devote my sincere appreciation to my parents for their en- couragement and support. iii iv Abstract An authenticated cipher is a symmetric key cryptographic primitive which pro- tects the confidentiality, integrity and authenticity of the data. It is an integration of the existing symmetric key primitives such as block ciphers, stream ciphers and hash functions, and attracts a lot of research interests in recent years, especially after the announcement of the CAESAR competition. In this thesis, we study the analysis and designs of the authenticated ciphers. We begin with an introduction to symmetric key cryptography and authenticated ciphers followed by discussing on the typical methods used in the cryptanalysis and design of authenticated ciphers. Then, several concrete case studies in analyzing the authenticated ciphers are presented. We apply differential-linear cryptanalysis to recover the internal state of ICEPOLE. Differential IV cryptanalysis is used to attack the initialization of the 128-EEA3/128-EIA3 stream cipher ZUC. By exploiting the leaked state from the keystreams, we present a forgery attack on ALE. By exploiting the parameter set- tings, we present distinguishing and forgery attacks against the authenticated en- cryption scheme COFFE. We provide a collision attack to break the authentication claim for the authenticated encryption mode IOC. For the design of authenticated ciphers, we propose two schemes, JAMBU and MORUS fulfilling various features. JAMBU is a lightweight authenticated en- cryption mode which provides an intermediate level of nonce misuse resistance. MORUS is a nonce-based authenticated cipher which is targeted for high perfor- mance in both software and hardware. v vi Contents Acknowledgments iii Abstract v Contents vii List of Figures xv List of Notations xvii List of Abbreviations xix 1 Introduction 1 1.1 Authenticated Cipher . 1 1.1.1 Symmetric Key Cryptography . 1 1.1.1.1 Confidentiality . 3 1.1.1.2 Integrity and Authenticity . 4 1.1.2 Authenticated Encryption . 5 1.2 Cryptanalysis of Authenticated Ciphers . 8 1.2.1 Exhaustive Key Search Attack . 9 1.2.2 The Birthday Attack . 10 1.2.3 Differential Cryptanalysis . 10 1.2.4 Linear Cryptanalysis . 12 vii 1.2.5 Differential-Linear Cryptanalysis . 12 1.2.6 Guess and Determine Cryptanalysis . 13 1.2.7 Other Cryptanalysis . 14 1.3 Design of Authenticated Ciphers . 14 1.3.1 Block Cipher Based Authenticated Ciphers . 15 1.3.2 Stream Cipher Based Authenticated Ciphers . 16 1.3.3 Permutation Based Authenticated Ciphers . 17 1.3.4 Compression Function Based Authenticated Ciphers . 18 1.4 Outline of this thesis . 18 2 Differential-Linear Cryptanalysis of ICEPOLE 21 2.1 Introduction . 21 2.2 The ICEPOLE Authenticated Cipher . 23 2.2.1 Notations . 23 2.2.2 The ICEPOLE permutation P . 24 2.2.3 Initialization . 25 2.2.4 Processing associated data and plaintext . 27 2.2.5 Tag generation . 28 2.2.6 Security goals of ICEPOLE . 28 2.3 Differential-Linear Distinguishing Attack . 29 2.3.1 Constructing the differential characteristics . 30 2.3.2 Constructing the linear characteristic . 32 2.3.3 Observations to improve the attack . 33 2.3.4 Concatenating the differential and linear characteristics . 35 2.4 State Recovery Attack on ICEPOLE . 37 2.4.1 State recovery attacks on ICEPOLE–128 and ICEPOLE–128a . 37 2.4.1.1 Recovering U0 and U3 . 38 2.4.1.2 Recovering U2 ...................... 40 2.4.1.3 Recovering U1 ...................... 42 viii 2.4.1.4 Correcting the recovered state . 44 2.4.1.5 Summary of the attack . 44 2.4.2 State recovery attack on ICEPOLE–256a . 45 2.4.3 Implications of the state recovery attacks . 47 2.5 Experimental Results . 48 2.6 Conclusion . 49 3 Initialization Differential Attacks on ZUC 51 3.1 Introduction . 51 3.2 Preliminaries . 52 3.2.1 The Notations . 52 3.2.2 The general structure of ZUC 1.4 . 53 3.2.2.1 Linear feedback shift register(LFSR). 53 3.2.2.2 Bit-reorganization function. 54 3.2.2.3 Nonlinear function F ................... 54 3.2.3 The initialization of ZUC 1.4 . 55 3.2.3.1 Key and IV loading. 55 3.2.3.2 Running the cipher for 32 steps. 55 3.3 Overview of the Attacks . 56 3.4 Attack ZUC 1.4 with Difference at iv0 ................... 59 3.4.1 The weak keys for ∆iv0 ...................... 60 3.4.2 Detecting weak keys for ∆iv0 ................... 63 3.4.3 Recovering weak keys for ∆iv0 . 64 3.5 Attack ZUC 1.4 with Difference at iv1 ................... 65 3.5.1 Identical keystreams for ∆iv1 ................... 65 3.5.2 Key recovery for ∆iv1 ....................... 66 3.6 Improving ZUC 1.4 . 68 3.7 Conclusion . 68 ix 4 Leaked-State-Forgery Attack on ALE 69 4.1 Introduction . 69 4.2 The Specification of ALE . 71 4.3 A Basic Leaked-State Forgery Attack on ALE . 74 4.3.1 The main idea of the attack . 74 4.3.2 Finding a differential characteristic . 75 4.3.3 Launching the forgery attack . 76 4.4 Optimizing the Leaked-State-Forgery Attack . 79 4.4.1 Improving the differential probability . 79 4.4.1.1 Summary of the analysis. 84 4.4.2 Reducing the number of known plaintext blocks . 86 4.4.2.1 Relaxing conditions on effective active S-boxes. 86 4.4.2.2 Reducing the number of active leaked bytes in the first two rounds. 86 4.4.2.3 Summary of the analysis. 87 4.5 Experiments on a Reduced Version of ALE . 87 4.5.1 The “2–8–12–4” differential characteristic . 89 4.5.2 The “6–4–6–9” differential characteristic . 90 4.6 Conclusion . 91 5 Cryptanalysis of COFFE 93 5.1 Introduction . 93 5.2 The COFFE Authenticated Cipher . 95 5.2.1 Notations . 96 5.2.2 Associated Data Processing . 98 5.2.3 Initialization . 98 5.2.4 Processing plaintext . 99 5.2.5 Tag generation . 99 5.2.6 Security goals of COFFE . 99 x 5.3 Analysis on the COFFE scheme . 101 5.3.1 Modification of β . 102 5.3.2 Modification of α . 107 5.4 Distinguishing Attack . 108 5.5 Ciphertext Forgery Attack . 110 5.5.1 Forgery Attack with Constant Message Block Size . 110 5.5.2 Forgery Attack with Dynamic Message Block Size . 112 5.5.3 Combination of the Existing Attacks . 113 5.6 Related Key Recovery Attack . 113 5.7 Conclusion . 114 5.7.1 Attack Summary . 114 5.7.2 Lesson Learned . 115 6 Cryptanalysis of the IOC Authenticated Encryption Mode 117 6.1 Introduction . 117 6.2 The IOC Authenticated Encryption Mode . 118 6.2.1 Notations . 118 6.2.2 The IOC specification . 119 6.3 The Forgery Attack on IOC mode . 122 6.3.1 The basic idea of the forgery attack . 122 6.3.2 Constructing suitable pairs of collisions . 124 6.3.3 The attack procedure . 125 6.4 Conclusion . 126 7 The JAMBU Lightweight Authentication Encryption Mode 127 7.1 Introduction . 127 7.2 The JAMBU Mode of Operation . 127 7.2.1 Preliminary . 127 7.2.1.1 Operations . 127 xi 7.2.1.2 Notations and Constants . 128 7.2.2 Parameters . 129 7.2.3 Padding . 129 7.2.4 Initialization . 129 7.2.5 Processing the associated data . 130 7.2.6 Encryption of JAMBU . 130 7.2.7 Finalization and tag generation . ..
Load more

Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Efficient Hashing Using the AES Instruction
    Efficient Hashing Using the AES Instruction Set Joppe W. Bos1, Onur Özen1, and Martijn Stam2 1 Laboratory for Cryptologic Algorithms, EPFL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos,onur.ozen}@epfl.ch 2 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom [email protected] Abstract. In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockci- pher with AES, which allows us to exploit the recent AES instruction set (AES- NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL- 256. Although we primarily target architectures supporting AES-NI, our frame- work has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi- block-length hash functions in software. 1 Introduction Historically, the most popular way of constructing a hash function is to iterate a com- pression function that itself is based on a blockcipher (this idea dates back to Ra- bin [49]). This approach has the practical advantage—especially on resource-constrained devices—that only a single primitive is needed to implement two functionalities (namely encrypting and hashing). Moreover, trust in the blockcipher can be conferred to the cor- responding hash function. The wisdom of blockcipher-based hashing is still valid today. Indeed, the current cryptographic hash function standard SHA-2 and some of the SHA- 3 candidates are, or can be regarded as, blockcipher-based designs.
    [Show full text]
  • International Journal of Computer Engineering and Applications, Volume XII, Special Issue, May 18, ISSN 2321-3469
    International Journal of Computer Engineering and Applications, Volume XII, Special Issue, May 18, www.ijcea.com ISSN 2321-3469 PROVIDING RESTRICTIONS AGAINST ATTACK AND CONGESTION CONTROL IN PUBLICINFRASTRUCTURE CLOUD Nousheen R1, Shanmugapriya M2, Sujatha P3,Dhinakaran D4 Student, Computer Science and Engineering, Peri Institute of Technology, Chennai, India 1,2,3 Assistant professor, Computer Science and Engineering, Peri Institute of Technology, Chennai, India 4 ABSTRACT: Cloud computing is current trend in market .It reduce the cost and complexity of service providers by the means of capital and operational cost.It allows users to access application remotely. This construct directs cloud service provider to handle cost of servers, software updates,etc. If the session tokens are not properly protected, an attacker can hijack an active session and assume the identity of a user. To focusing on session hijacking and broken authenticationOTP is generated it will send user mail.Once the user is authenticatedthey will be split into virtual machine it is initiate to the upload process into the cloud.Thecloud user files are uploaded and stored in domain based .Also in our proposed system encryption keys are maintained outside of the IaaS domain.For encryption, we proposed RSA algorithm .For data owner file encryption, we use camellia algorithm. Finally the files are stored in the public cloud named CloudMe. Keywords: Cloud computing, session hijacking, OTP, Virtual machine, Iaas, CloudMe [1] INTRODUCTION Cloud computing is an information technology(IT) standard that enables universal access to share group of configurable system resource and higher-level services that can be quickly provisioned with minimal management effort, often over the internet.
    [Show full text]
  • Rotational Rebound Attacks on Reduced Skein
    Rotational Rebound Attacks on Reduced Skein Dmitry Khovratovich1;2, Ivica Nikoli´c1, and Christian Rechberger3 1: University of Luxembourg; 2: Microsoft Research Redmond, USA; 3: Katholieke Universiteit Leuven, ESAT/COSIC, and IBBT, Belgium [email protected], [email protected], [email protected] Abstract. In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different construc- tions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 com- pression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function. The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers. Keywords: Skein, SHA-3, hash function, compression function, cipher, rotational cryptanalysis, rebound attack, distinguisher. 1 Introduction Rotational cryptanalysis and the rebound attack proved to be very effective in the analysis of SHA-3 candidates and related primitives.
    [Show full text]
  • Minalpher V1.1
    Minalpher v1.1 Designers Yu Sasaki, Yosuke Todo, Kazumaro Aoki, Yusuke Naito, Takeshi Sugawara, Yumiko Murakami, Mitsuru Matsui, Shoichi Hirose Submitters NTT Secure Platform Laboratories, Mitsubishi Electric Corporation, University of Fukui Contact [email protected] Version 1.1: 29 August 2015 Changes From v1.0 to v1.1 { Clarified the handling of illegal input length, specially, when a ciphertext length is not a multiple of a block. { Updated the numbers for software implementation on x86 64. { Added references which are found after the submission of v1.0. { Corrected typos. 2 1 Specification Section 1.1 specifies the mode of operation of Minalpher. Section 1.2 shows the exact parameters in our design. Section 1.3 defines the maximum input message length to Minalpher. Section 1.4 specifies the underlying primitive in Minalpher. 1.1 Mode of Operation Minalpher supports two functionalities: authenticated encryption with associated data (AEAD) and mes- sage authentication code (MAC). In this section, we specify these modes of operation. Subsection 1.1.1 gives notations used in the modes of operation. Subsection 1.1.2 specifies a padding rule used in the modes of operation. Subsection 1.1.3 specifies a primitive which we call tweakable Even- Mansour. The construction dates back to Kurosawa [27, 28], who builds a tweakable block-cipher from a permutation-based block-cipher proposed by Even and Mansour [18]. Tweakable block-ciphers are originated by Liskov, Rivest and Wagner [33]. Subsection 1.1.4 specifies the AEAD mode of operation. Subsection 1.1.5 specifies the MAC mode of operation.
    [Show full text]
  • Rebound Attacks on Stribog
    Rebound Attacks on Stribog B Riham AlTawy( ), Aleksandar Kircanski, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montr´eal, QC H4B 1R6, Canada r [email protected] Abstract. In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11–2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 28 and 240, respectively. Finally, the compression function is analyzed and a 7.75 round semi free- start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 50 out of 64 bytes near colliding message pair. Keywords: Cryptanalysis · Hash functions · Meet in the middle · Rebound attack · GOST R 34.11-2012 · Stribog 1 Introduction Wang et al. attacks on MD5 [21] and SHA-1 [20] followed by the SHA-3 compe- tition [3] have led to a flurry in the area of hash function cryptanalysis where different design concepts and various attack strategies were introduced. Many of the proposed attacks were not only targeting basic properties but they also stud- ied any non-ideal behaviour of the hash function, compression function, internal cipher, or the used domain extender.
    [Show full text]
  • CRYPTREC Report 2009 暗号方式委員会報告書
    CRYPTREC Report 2009 平成22年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号方式委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号方式委員会 ················································· 8 1.3 電子政府推奨暗号リスト ········································· 9 1.4 活動の方針 ····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 12 2.3.1 公募の概要 ·············································· 12 2.3.2 2009 年度公募カテゴリ ···································· 12 2.3.3 公募期間 ················································ 13 2.3.4 評価スケジュール ········································ 13 2.3.5 評価項目 ················································ 14 2.3.6 応募暗号技術 ············································ 14 2.3.7 事務局選出技術 ·········································· 15 2.3.8 CRYPTREC シンポジウムの開催 ······························ 15 2.4 CRYPTREC シンポジウム 2010―応募暗号説明会―について ··········· 16 2.4.1 開催目的 ················································ 16 2.4.2 プログラムの概要 ········································ 16 2.4.3 意見・コメントの概要 ····································
    [Show full text]
  • CRYPTREC Report 2008 暗号技術監視委員会報告書
    CRYPTREC Report 2008 平成21年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号技術監視委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号技術監視委員会············································· 8 1.3 電子政府推奨暗号リスト········································· 9 1.4 活動の方針····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リストの改訂に関する骨子······················ 11 2.3.1 現リストの構成の見直し ·································· 12 2.3.2 暗号技術公募の基本方針 ·································· 14 2.3.3 2009 年度公募カテゴリ ···································· 14 2.3.4 今後のスケジュール ······································ 15 2.4 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 15 2.4.1 公募の概要 ·············································· 16 2.4.2 2009 年度公募カテゴリ ···································· 16 2.4.3 提出書類 ················································ 17 2.4.4 評価スケジュール(予定) ·································· 17 2.4.5 評価項目 ················································ 18 2.4.6 応募暗号説明会の開催 ···································· 19 2.4.7 ワークショップの開催 ···································· 19 2.5
    [Show full text]
  • Efficient Large-State Tweakable Block Ciphers from the AES Round Function
    Pholkos – Efficient Large-state Tweakable Block Ciphers from the AES Round Function Jannis Bossert, Eik List, Stefan Lucks and Sebastian Schmitz Bauhaus-Universität Weimar, Weimar Germany <firstname>.<lastname>(at)uni-weimar.de Abstract. With the dawn of quantum computers, higher security than 128 bits has become desirable for primitives and modes. During the past decade, highly secure hash functions, MACs, and encryption schemes have been built primarily on top of keyless permutations, which simplified their analyses and implementation due to the absence of a key schedule. However, the security of these modes is most often limited to the birthday bound of the state size, and their analysis may require a different security model than the easier-to-handle secret-permutation setting. Yet, larger state and key sizes are desirable not only for permutations but also for other primitives such as block ciphers. Using the additional public input of tweakable block ciphers for domain separation allows for exceptionally high security or performance as recently proposed modes have shown. Therefore, it appears natural to ask for such designs. While security is fundamental for cryptographic primitives, performance is of similar relevance. Since 2009, processor-integrated instructions have allowed high throughput for the AES round function, which already motivated various constructions based on it. Moreover, the four-fold vectorization of the AES instruction sets in Intel’s Ice Lake architecture is yet another leap in terms of performance and gives rise to exploit the AES round function for even more efficient designs. This work tries to combine all aspects above into a primitive and to build upon years of existing analysis on its components.
    [Show full text]
  • Rebound Attacks on Stribog
    Rebound attacks on Stribog Riham AlTawy, Aleksandar Kircanski and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montr´eal, Queb´ec, CANADA Abstract. In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11-2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 28 and 240, respectively. Finally, the compression function is analyzed and a 7.75 round semi free-start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 49 out of 64 bytes near colliding message pair. Keywords: Cryptanalysis, Hash functions, Meet in the middle, Rebound attack, GOST R 34.11-2012, Stribog 1 Introduction Wang et al. attacks on MD5 [18] and SHA-1 [17] followed by the SHA-3 com- petition [3] have led to a flurry in the area of hash function cryptanalysis where different design concepts and various attack strategies were introduced. Many of the proposed attacks were not only targeting basic properties but they also stud- ied any non-ideal behaviour of the hash function, compression function, internal cipher, or the used domain extender.
    [Show full text]
  • Stribobr2: “WHIRLBOB”
    STRIBOBr2: “WHIRLBOB” Second Round CAESAR Algorithm Tweak Specification Pricipal Submitter Markku-Juhani O. Saarinen [email protected] Queen’s University Belfast, UK Billy B. Brumley [email protected] Tampere University of Technology, Finland August 28, 2015 For updates and further information: http://www.stribob.com Contents Preface and Introduction 1 1 Specification 2 1.1 Structure of the π Permutation .................................. 2 1.1.1 Substitution S or SubBytes ................................ 2 1.1.2 Permutation P or ShiftColumns ............................. 2 1.1.3 Linear operation L or MixRows .............................. 3 1.1.4 Constants Cr or AddRoundKey ............................... 3 1.1.5 Code for π Computation .................................. 4 1.2 BLNK Sponge Mode and Padding ................................ 5 1.2.1 BLNK Block Operations .................................. 5 1.2.2 The CAESAR encrypt() and decrypt() AEAD API .................... 6 1.3 Test Vectors ............................................. 7 1.3.1 The 12-round π transform ................................. 7 1.3.2 Authenticated Encryption ................................. 8 2 Security Goals 9 2.1 Specific Goals ............................................ 9 2.2 Nonce Re-Use ............................................ 9 2.3 General Goals ............................................ 9 3 Security Analysis 10 3.1 Attacks on the Sponge AEAD Mode BLNK ........................... 10 3.2 The π Permutation ........................................
    [Show full text]
  • A Meet in the Middle Attack on Reduced Round Kuznyechik
    IEICE TRANS. FUNDAMENTALS, VOL.Exx{??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWYya), Member and Amr M. YOUSSEFyb), Nonmember SUMMARY In this letter, we present a meet-in-the-middle from 2192 to 2128. Later on, Derbez et al. [7] improved attack on the 5-round reduced Kuznyechik cipher which has been the attack of Dunkelman et al. by borrowing ideas from recently chosen to be standardized by the Russian federation. the rebound attack [8] which further brought the num- Our attack is based on the differential enumeration approach. However, the application of the exact approach is not success- ber of required parameters to 10 bytes, thus the number ful on Kuznyechik due to its optimal round diffusion properties. of entries of the precomputation table is further reduced Accordingly, we adopt an equivalent representation for the last to 280. Moreover, a 9-round attack on AES-192 using round where we can efficiently filter ciphertext pairs and launch a 5-round truncated differential distinguisher was pre- the attack in the chosen ciphertext setting. We also utilize par- tial sequence matching which further reduces the memory and sented by Li et al. in [9]. Finally, Guo et al. generalized time complexities. For the 5-round reduced cipher, the 256-bit the attack on Feistel structures in [10]. master key is recovered with an online time complexity of 2140:3, In this work, we present a MitM attack on a memory complexity of 2153:3, and a data complexity of 2113.
    [Show full text]