DOCSLIB.ORG

Analysis and Implementation of Estream and SHA-3 Cryptographic Algorithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis and Implementation of Estream and SHA-3 Cryptographic Algorithms COOPER UNION FOR THE ADVANCEMENT OF SCIENCE AND ART ALBERT NERKEN SCHOOL OF ENGINEERING Analysis and Implementation of eSTREAM and SHA-3 Cryptographic Algorithms by Deian Stefan A thesis submitted in partial fulfillment of the requirements for the degree of Master of Engineering May 10, 2011 Advisor Dr. Fred L. Fontaine COOPER UNION FOR THE ADVANCEMENT OF SCIENCE AND ART ALBERT NERKEN SCHOOL OF ENGINEERING This thesis was prepared under the direction of the Candidate’s Thesis Advisor and has received approval. It was submitted to the Dean of the School of Engineering and the full Faculty, and was approved as partial fulfillment of the requirements for the degree of Master of Engineering. Dr. Simon Ben Avi Dean, School of Engineering Dr. Fred L. Fontaine Candidate’s Thesis Advisor Abstract Invaluable benchmarking efforts have been made to measure the perfor- mance of eSTREAM portfolio stream ciphers and SHA-3 hash function can- didates on multiple architectures. In this thesis we contribute to these ef- forts; we evaluate the performance of all eSTREAM ciphers and all second- round SHA-3 candidates on NVIDIA Graphics Processing Units (GPUs). Complementarity, we present the first implementation of the cube at- tack in a multi-GPU setting. Our framework proves useful in the practi- cal analysis of algorithms by providing a generic black box interface and speedup factors over 100¢. Demonstrating its use we analyze two eS- TREAM stream ciphers, MICKEY v2 and Trivium. We find that MICKEY is not susceptible to low-degree cube attacks, while our Trivium analysis confirms previous results, in addition to several new equations applicable to a partial key recovery. We also extend the linear differential cryptanalysis framework intro- duced by Brier, Khazaei, Meier and Peyrin at ASIACRYPT 2009 using two new trail search algorithms, and several optimizations. We find several collision and second preimage attacks on simplified and round-reduced variants of BLAKE and CubeHash, two SHA-3 second round candidates. Using the extended framework we also present improved collision attacks on CubeHash, when compared to previous results. In combination with the condition function concept, our new trail search algorithms lead to much faster collision attacks. We demonstrate this by providing a real col- lision for CubeHash-5/96. Additionally our randomized trail search finds highly probable linear differential trails and leads to significantly better attacks for up to eight rounds of CubeHash. Acknowledgments I would like to thank my advisor Fred L. Fontaine for his encouragement and support on this work and my Electrical Engineering studies at The Cooper Union. I am especially grateful for his efforts in providing an ex- ¦ cellent environment, the S ProCom2 lab, in which I have flourished as both a student and researcher; our collaboration is one of the most rewarding and influential experiences to date. I am grateful to Peter Cooper and The Cooper Union for providing me with the opportunity to gain an exceptional education. I am thankful for having had the opportunity to work with and study under Jeff Hakner, Danfeng Yao, Kausik Chatterjee, William Donahue, and Alan Berenbaum. They have in many ways influenced my choice to pursue research studies. I would like to thank all my coauthors for the fruitful discussions and great moments we exchanged. In particular, I would like to thank David B. Nummey, Christopher Mitchell, Jared Harwayne-Gidansky, Ishaan L. Dalal, and Matthew Epstein. Furthermore, I am especially grateful to Arjen K. Lenstra, Joppe Boss and Shahram Khazaei for my summer study at LACAL, the work of which led to this thesis. Finally, I would like to thank my friends and family for supporting me during my studies. Most of all, I am grateful to my parents for their ongoing support and encouragement. Contents List of Figures viii List of Tablesx List of Algorithms xi 1 Introduction1 1.1 Stream Ciphers . .2 1.2 Hash Functions . .3 1.3 High-Performance Cryptologic Computing . .4 1.4 Related Work . .6 1.5 Contributions . .8 1.5.1 Implementation Contributions . .8 1.5.2 Analysis Contributions . 10 1.6 Thesis Outline . 11 2 Target primitives 12 2.1 eSTREAM Stream Ciphers . 13 2.1.1 Trivium . 14 2.1.2 MICKEY v2 . 16 2.2 SHA-3 Candidates . 19 2.2.1 BLAKE . 20 2.2.2 CubeHash . 25 3 SMP and GPU Parallel Programming 28 3.1 OpenMP and SMPs . 29 3.1.1 SMP Architectures . 30 3.1.2 OpenMP Programming . 31 3.2 CUDA and GPUs . 42 3.2.1 GPU Architectures . 43 3.2.2 CUDA Programming . 45 v CONTENTS vi 4 Cube Attack 54 4.1 Preliminaries . 55 4.2 Preprocessing . 60 4.2.1 Finding Maxterms . 61 4.2.2 Superpoly Reconstruction . 65 4.3 Online Attack . 68 5 Linear Differential Cryptanalysis 71 5.1 Constructing Differential Trails . 73 5.1.1 Notation . 74 5.1.2 Raw Probability . 74 5.1.3 Forward Differential Trails . 76 5.1.4 Reverse Differential Trails . 77 5.1.5 Randomized Differential Trails . 78 5.2 Finding Collisions Using Condition Functions . 79 5.3 Freedom Degrees Use: Dependency Table . 85 6 Cryptography and Cryptanalysis on GPUs 91 6.1 GPU Implementation of eSTREAM Ciphers . 93 6.1.1 gSTREAM Framework . 93 6.1.2 Implementation of eSTEAM Ciphers . 96 6.2 GPU Implementation of SHA-3 Candidates . 100 6.2.1 AES-Inspired SHA-3 Candidates . 101 6.2.2 Other SHA-3 Candidates . 104 6.3 Multi-GPU Implementation of the Cube Attack . 108 6.3.1 Finding Maxterms . 110 6.3.2 Superpoly Reconstruction . 113 6.3.3 Performance Measurements . 113 7 Cryptanalysis Results 117 7.1 Applying the Cube Attack . 117 7.1.1 Trivium . 118 7.1.2 MICKEY . 118 7.2 Applying Linear Differential Cryptanalysis . 121 7.2.1 BLAKE . 122 7.2.2 CubeHash . 123 8 Conclusion 136 A BLAKE Constants 138 B MICKEY v2 Constants 141 C Software Implementation of Grain 143 CONTENTS vii D gSTREAM API and Implementations 148 D.1 gSTREAM API . 148 D.2 MICKEY v2 Example Implementation . 159 D.3 Trivium Example Implementation . 172 E XOR-Shift RNG Implementation 184 F Differential Trails 187 F.1 BLAKE differential trails . 187 F.2 CubeHash-¦/t10, 20, 24, 36, 96u differential trails . 190 Bibliography 213 List of Figures 3.1 Uniform memory access architectures . 31 3.2 Non-uniform memory access architectures . 32 3.3 Fork-join programming model . 33 3.4 GT200 Texture Processor Cluster . 43 3.5 Multi-block parallel reduction using shared memory. 52 4.1 Preprocessing phase of the cube attack . 60 4.2 On-line phase of the cube attack . 69 6.1 Program flow using the gSTREAM framework. 94 6.2 32-bit Grain Core i7 960 (2.8GHz) benchmarking results . 99 6.3 Finding a maxterm for high-dimensional cube . 110 6.4 Finding a maxterm for medium-dimensional cube . 111 7.1 Linear differential framework using OpenMP . 121 r 7.2 CubeHash’s Compresslin ........................... 126 viii List of Tables 2.1 eSTREAM portfolio algorithms. 13 2.2 SHA-3 second-round candidates. 20 3.1 Commonly used parallel construct clauses. 34 3.2 Clauses supported by the work-share constructs. 37 3.3 Commonly used synchronization constructs. 41 3.4 Commonly-used OpenMP runtime functions. 42 6.1 Performance estimates for eSTREAM ciphers . 97 6.2 GPU performance results and estimates for eSTREAM ciphers . 98 6.3 Mix-column estimates . 103 6.4 Count of AES-like operations in SHA3-candidate designs . 105 6.5 GPU performance estimates for non-AES SHA3-candidates . 107 6.6 GPU performance results for SHA-3 non-AES based candidates . 109 6.7 Cube attack finding maxterms performance . 114 6.8 Cube attack superpoly reconstruction performance . 115 7.1 Trivium analysis, confirming existing results . 119 7.2 Trivium analysis, new results . 120 7.3 BLAKE32 analysis results . 122 7.4 BLAKE64 analysis results . 123 7.5 Minimal number of conditions found for l = 3 ............ 125 7.6 Minimal number of conditions y found with the randomized search 126 7.7 Logarithmic theoretical complexities cD of improved collision attacks.127 7.8 Cubehash (t, y) ............................... 128 7.9 CubeHash collision complexities cD with 1-bit modifications . 129 7.10 CubeHash collision complexities cD with 2-bit modifications . 129 7.11 CubeHash collision complexities cD with 4-bit modifications . 130 7.12 CubeHash collision complexities cD with 8-bit modifications . 130 7.13 Number of conditions per round theoretical complexities. 133 7.14 Partition sets for CubeHash-5/96 collision trail . 135 A.1 BLAKE intial values . 138 A.2 BLAKE permutation function . 139 ix LIST OF TABLES x A.3 BLAKE constant values . 140 List of Algorithms 2.1 Trivium state update function . 15 2.2 MICKEY state update function . 17 2.3 Clockr - clocking MICKEY’s r register . 18 2.4 Clocks - clocking MICKEY’s s register . 18 2.5 BLAKE’s compression function . 22 2.6 BLAKE-32 Gi function . 23 2.7 Round funtion for CubeHash . 27 4.1 Finding a maxterm . 66 4.2 Superpoly reconstruction . 68 5.1 Calculating the probabilistic-effect and dependancy tables . 87 5.2 Creating input and output partitions of a condition function . 88 5.3 Tree-based backtracking preimage search . 89 5.4 Computing adaptive backtrack steps . 90 xi Chapter 1 Introduction Security has become a crucial aspect in the design and use of computer systems and networks. Whether one is designing a wireless communication system, web application, or network protocol, addressing security is an essential engineering criterion. Though a well-designed system is built from a multitude of compo- nents, the use of cryptography as a building block is almost unanimous.
Load more

Recommended publications
  • Failures of Secret-Key Cryptography D
    Failures of secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven http://xkcd.com/538/ 2011 Grigg{Gutmann: In the past 15 years \no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or toy keys) in the Internet or commercial worlds". 2011 Grigg{Gutmann: In the past 15 years \no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or toy keys) in the Internet or commercial worlds". 2002 Shamir:\Cryptography is usually bypassed. I am not aware of any major world-class security system employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis." Do these people mean that it's actually infeasible to break real-world crypto? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Or are they simply wrong: real-world crypto is breakable; is in fact being broken; is one of many ongoing disaster areas in security? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Or are they simply wrong: real-world crypto is breakable; is in fact being broken; is one of many ongoing disaster areas in security? Let's look at some examples.
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • Key Differentiation Attacks on Stream Ciphers
    Key differentiation attacks on stream ciphers Abstract In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon’s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman [3] have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher (∆key, ∆IV ) → ∆S. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher [8], in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register.
    [Show full text]
  • CS-466: Applied Cryptography Adam O'neill
    Hash functions CS-466: Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage • Today we will study a second lower-level primitive, hash functions. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. • Primary purpose is data compression, but they have many other uses and are often treated like a “magic wand” in protocol design. Collision resistance (CR) Collision Resistance n Definition: A collision for a function h : D 0, 1 is a pair x1, x2 D → { } ∈ of points such that h(x1)=h(x2)butx1 = x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a | | collision for h. Mihir Bellare UCSD 3 Collision resistance (CR) Collision resistanceCollision Resistance (CR) n Definition: A collision for a function h : D 0, 1 n is a pair x1, x2 D Definition: A collision for a function h : D → {0, 1} is a pair x1, x2 ∈ D of points such that h(x1)=h(x2)butx1 = →x2.{ } ∈ of points such that h(x1)=h(x2)butx1 ≠ x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a If |D| > 2n then the pigeonhole principle tells us that there must exist a collision| | for h. collision for h. We want that even though collisions exist, they are hard to find.
    [Show full text]
  • Linearization Framework for Collision Attacks: Application to Cubehash and MD6
    Linearization Framework for Collision Attacks: Application to CubeHash and MD6 Eric Brier1, Shahram Khazaei2, Willi Meier3, and Thomas Peyrin1 1 Ingenico, France 2 EPFL, Switzerland 3 FHNW, Switzerland Abstract. In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on lineariza- tion of compression functions in order to find low weight differential characteris- tics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differ- ential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the con- dition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in ac- celerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates. Keywords: Hash functions, collisions, differential attack, SHA-3, CubeHash and MD6. 1 Introduction Hash functions are important cryptographic primitives that find applications in many areas including digital signatures and commitment schemes. A hash function is a trans- formation which maps a variable-length input to a fixed-size output, called message digest. One expects a hash function to possess several security properties, one of which is collision resistance.
    [Show full text]
  • Side Channel Analysis Attacks on Stream Ciphers
    Side Channel Analysis Attacks on Stream Ciphers Daehyun Strobel 23.03.2009 Masterarbeit Ruhr-Universität Bochum Lehrstuhl Embedded Security Prof. Dr.-Ing. Christof Paar Betreuer: Dipl.-Ing. Markus Kasper Erklärung Ich versichere, dass ich die Arbeit ohne fremde Hilfe und ohne Benutzung anderer als der angegebenen Quellen angefertigt habe und dass die Arbeit in gleicher oder ähnlicher Form noch keiner anderen Prüfungsbehörde vorgelegen hat und von dieser als Teil einer Prüfungsleistung angenommen wurde. Alle Ausführungen, die wörtlich oder sinngemäß übernommen wurden, sind als solche gekennzeichnet. Bochum, 23.März 2009 Daehyun Strobel ii Abstract In this thesis, we present results from practical differential power analysis attacks on the stream ciphers Grain and Trivium. While most published works on practical side channel analysis describe attacks on block ciphers, this work is among the first ones giving report on practical results of power analysis attacks on stream ciphers. Power analyses of stream ciphers require different methods than the ones used in todays most popular attacks. While for the majority of block ciphers it is sufficient to attack the first or last round only, to analyze a stream cipher typically the information leakages of many rounds have to be considered. Furthermore the analysis of hardware implementations of stream ciphers based on feedback shift registers inevitably leads to methods combining algebraic attacks with methods from the field of side channel analysis. Instead of a direct recovery of key bits, only terms composed of several key bits and bits from the initialization vector can be recovered. An attacker first has to identify a sufficient set of accessible terms to finally solve for the key bits.
    [Show full text]
  • Nasha, Cubehash, SWIFFTX, Skein
    6.857 Homework Problem Set 1 # 1-3 - Open Source Security Model Aleksandar Zlateski Ranko Sredojevic Sarah Cheng March 12, 2009 NaSHA NaSHA was a fairly well-documented submission. Too bad that a collision has already been found. Here are the security properties that they have addressed in their submission: • Pseudorandomness. The paper does not address pseudorandomness directly, though they did show proof of a fairly fast avalanching effect (page 19). Not quite sure if that is related to pseudorandomness, however. • First and second preimage resistance. On page 17, it references a separate document provided in the submission. The proofs are given in the file Part2B4.pdf. The proof that its main transfunction is one-way can be found on pages 5-6. • Collision resistance. Same as previous; noted on page 17 of the main document, proof given in Part2B4.pdf. • Resistance to linear and differential attacks. Not referenced in the main paper, but Part2B5.pdf attempts to provide some justification for this. • Resistance to length extension attacks. Proof of this is given on pages 4-5 of Part2B4.pdf. We should also note that a collision in the n = 384 and n = 512 versions of the hash function. It was claimed that the best attack would be a birthday attack, whereas a collision was able to be produced within 2128 steps. CubeHash According to the author, CubeHash is a very simple cryptographic hash function. The submission does not include almost any of the security details, and for the ones that are included the analysis is very poor. But, for the sake of making this PSet more interesting we will cite some of the authors comments on different security issues.
    [Show full text]
  • On Security and Privacy for Networked Information Society
    Antti Hakkala On Security and Privacy for Networked Information Society Observations and Solutions for Security Engineering and Trust Building in Advanced Societal Processes Turku Centre for Computer Science TUCS Dissertations No 225, November 2017 ON SECURITY AND PRIVACY FOR NETWORKED INFORMATIONSOCIETY Observations and Solutions for Security Engineering and Trust Building in Advanced Societal Processes antti hakkala To be presented, with the permission of the Faculty of Mathematics and Natural Sciences of the University of Turku, for public criticism in Auditorium XXII on November 18th, 2017, at 12 noon. University of Turku Department of Future Technologies FI-20014 Turun yliopisto 2017 supervisors Adjunct professor Seppo Virtanen, D. Sc. (Tech.) Department of Future Technologies University of Turku Turku, Finland Professor Jouni Isoaho, D. Sc. (Tech.) Department of Future Technologies University of Turku Turku, Finland reviewers Professor Tuomas Aura Department of Computer Science Aalto University Espoo, Finland Professor Olaf Maennel Department of Computer Science Tallinn University of Technology Tallinn, Estonia opponent Professor Jarno Limnéll Department of Communications and Networking Aalto University Espoo, Finland The originality of this thesis has been checked in accordance with the University of Turku quality assurance system using the Turnitin OriginalityCheck service ISBN 978-952-12-3607-5 (Online) ISSN 1239-1883 To my wife Maria, I am forever grateful for everything. Thank you. ABSTRACT Our society has developed into a networked information soci- ety, in which all aspects of human life are interconnected via the Internet — the backbone through which a significant part of communications traffic is routed. This makes the Internet ar- guably the most important piece of critical infrastructure in the world.
    [Show full text]
  • Quantum Preimage and Collision Attacks on Cubehash
    Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, [email protected] Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. This kind of attack is expected to cost 2256 for a good 512-bit hash function, and we argue that this violates the expected security of CubeHash. The preimage attack can also be used as a collision attack, given that a generic quantum collision attack on a 512-bit hash function require 2256 operations, as explained in the CubeHash submission document. This attack only uses very simple techniques, most of which are borrowed from previous analysis of CubeHash: we just combine symmetry based attacks [1,8] with Grover’s algo- rithm. However, it is arguably the first attack on a second-round SHA-3 candidate that is more efficient than the attacks considered by the designer. 1 Introduction CubeHash is a hash function designed by Bernstein and submitted to the SHA-3 com- petition [2]. It has been accepted for the second round of the competition. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. We show that this attack should be considered as better that the attacks considered by the designer, and we explain what were our expectations of the security of CubeHash. P P Fig. 1. CubeHash follows the sponge construction 1.1 CubeHash Versions CubeHash is built following the sponge construction with a 1024-bit permutation. The small size of the state allows for compact hardware implementations, but it is too small to build a fast 512-bit hash function satisfying NIST security requirements.
    [Show full text]
  • Inside the Hypercube
    Inside the Hypercube Jean-Philippe Aumasson1∗, Eric Brier3, Willi Meier1†, Mar´ıa Naya-Plasencia2‡, and Thomas Peyrin3 1 FHNW, Windisch, Switzerland 2 INRIA project-team SECRET, France 3 Ingenico, France Some force inside the Hypercube occasionally manifests itself with deadly results. http://www.staticzombie.com/2003/06/cube 2 hypercube.html Abstract. Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The sub- missions to NIST recommends r = 8, b = 1, and h ∈ {224, 256, 384, 512}. This paper presents the first external analysis of CubeHash, with • improved standard generic attacks for collisions and preimages • a multicollision attack that exploits fixed points • a study of the round function symmetries • a preimage attack that exploits these symmetries • a practical collision attack on a weakened version of CubeHash • a study of fixed points and an example of nontrivial fixed point • high-probability truncated differentials over 10 rounds Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parame- ters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions. 1 CubeHash Bernstein’s CubeHash is a hash function family submitted to the NIST Hash Competition.
    [Show full text]
  • Stream Ciphers (Contd.)
    Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives • Non-linear feedback shift registers • Stream ciphers using LFSRs: – Non-linear combination generators – Non-linear filter generators – Clock controlled generators – Other Stream Ciphers Low Power Ajit Pal IIT Kharagpur 1 Non-linear feedback shift registers • A Feedback Shift Register (FSR) is non-singular iff for all possible initial states every output sequence of the FSR is periodic. de Bruijn Sequence An FSR with feedback function fs(jj−−12 , s ,..., s jL − ) is non-singular iff f is of the form: fs=⊕jL−−−−+ gss( j12 , j ,..., s jL 1 ) for some Boolean function g. The period of a non-singular FSR with length L is at most 2L . If the period of the output sequence for any initial state of a non-singular FSR of length L is 2L , then the FSR is called a de Bruijn FSR, and the output sequence is called a de Bruijn sequence. Low Power Ajit Pal IIT Kharagpur 2 Example f (,xxx123 , )1= ⊕⊕⊕ x 2 x 3 xx 12 t x1 x2 x3 t x1 x2 x3 0 0 0 0 4 0 1 1 1 1 0 0 5 1 0 1 2 1 1 0 6 0 1 0 3 1 1 1 3 0 0 1 Converting a maximal length LFSR to a de-Bruijn FSR Let R1 be a maximum length LFSR of length L with linear feedback function: fs(jj−−12 , s ,..., s jL − ). Then the FSR R2 with feedback function: gs(jj−−12 , s ,..., s jL − )=⊕ f sjj−−12 , s ,..., s j −L+1 is a de Bruijn FSR.
    [Show full text]
  • Secure Multi Keyword Fuzzy with Semantic Expansion Based Search Over Encrypted Cloud Data
    SECURE MULTI KEYWORD FUZZY WITH SEMANTIC EXPANSION BASED SEARCH OVER ENCRYPTED CLOUD DATA ARFA BAIG Dept of Computer Science & Engineering B.N.M Institute of Technology, Bangalore, India E-mail: [email protected] Abstract— The initiation of cloud computing has led to ease of access in Internet-based computing and is commonly used for web servers or development systems where there are security and compliance requirements. Nevertheless, some of the confidential information has to be encrypted to avoid any intrusion. Henceforward as an attempt, a semantic expansion based multi- keyword fuzzy search provides solution over encrypted cloud data by using the locality-sensitive hashing technique. This solution returns not only the accurately matched files, but also the files including the terms semantically related to the query keyword. In the proposed scheme fuzzy matching is achieved through algorithmic design rather than expanding the index files. It also eradicates the need of a predefined dictionary and effectively supports multiple keyword fuzzy search without increasing the index or search complexity. The indexes are formed based on locality sensitive hashing (LSH), the result files are returned according to the total relevance score. Index Terms—Multi keyword fuzzy search, Locality Sensitive Hashing, Secure Semantic Expansion. support fuzzy search and also required the use of pre- I. INTRODUCTION defined dictionary which lacked scalability and Cloud computing is a form of computing that depends flexibility for modification and updation of the data. on sharing computing resources rather than having These drawbacks create the necessity of the new local servers or personal devices to handle technique of multi keyword fuzzy search.
    [Show full text]