DOCSLIB.ORG

V. Ruzhentsev

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
V. Ruzhentsev Eastern-European Journal of Enterprise Technologies ISSN 1729-3774 6/9 ( 90 ) 2017 UDC 004.056.55 Розглядаються дві схеми побудови колізійних DOI: 10.15587/1729-4061.2017.117684 rebound атак на Grostl-подібні алгоритми ґешу- вання. Пропонується підхід до визначення потріб- ної кількості циклів для забезпечення стійкості до DEVELOPMENT OF розглянутих атак. Запропонований підхід засто- совується до алгоритму Купина, який прийнято THE APPROACH в якості українського національного стандарту ґешування ДСТУ 7564:2014. Доводиться, що наяв- TO PROVING THE ність 5 і больше циклів в кожному з перетворень P і Q цього алгоритму ґешування робить його стійким SECURITY OF GROSTL- до атаки «зміни напрямку» (rebound attack) Ключові слова: алгоритм ґешування, Grostl, LIKE HASHING Rijndael-подібні перетворення, колізійна атака, rebound атака ALGORITHMS TO Рассматриваются две схемы организации REBOUND ATTACKS коллизионных rebound атак на Grostl-подобные алгоритмы хеширования. Предлагается подход V. Ruzhentsev к определению необходимого количества циклов Doctor of Technical Sciences, Associate Professor в преобразованиях для обеспечения стойкости к Department of information technologies security рассматриваемым атакам. Предложенный под- Kharkiv National University of Radio Electronics ход применяется к алгоритму Купина, принятому Nauky ave., 14, Kharkiv, Ukraine, 61166 в качестве украинского национального стандарта E-mail: [email protected] хеширования ДСТУ 7564:2014. Доказывается, что Y. Onishchenko наличие 5 и более циклов в каждом из преобразо- PhD, Associate Professor* ваний P и Q этого алгоритма хеширования делает E-mail: [email protected] его стойкими к атаке «изменения направления» V. Svitlychnyi (rebound attack) PhD, Associate Professor* Ключевые слова: алгоритм хеширования, Grostl, E-mail: [email protected] Rijndael-подобные преобразования, коллизионная *Department of cybersecurity атака, rebound атака Kharkiv National University of Internal Affairs L. Landau ave., 27, Kharkiv, Ukraine, 61080 1. Introduction to ensure resistance to known rebound attacks. The solution of these problems is the purpose of this work. Many modern cryptographic primitives, including hashing functions, use Rijndael-like ciphers as a con- struction element. For example, such hash functions are 2. Literature review and problem statement Whirlpool, Grostl [1], ECHO and Ukrainian standard DSTU 7564:2014 (Kupyna) [2]. The Kupyna was adopted The main difference between cryptanalysis of hash as the Ukrainian standard DSTU 7564:2014 in 2015. Sev- functions and cryptanalysis of block ciphers is that there are eral papers devoted to the analysis of the security of the no keys in hash algorithms unknown to the cryptanalyst, Kupyna algorithm were published after it was adopted as a instead, constants are used. Thus, a known-key model is standard [3, 4]. This algorithm uses the Rijndael-like block usually used in the hashing algorithms analysis. cipher Kalyna [5, 6] as the basic transformation. The block Using this model, the cryptanalyst tries to implement cipher Kalyna was also adopted as the Ukrainian nation- one of the following scenarios: al standard in 2015 (DSTU 7624: 2014). The high-level 1) show that the value of the hash function differs from structure of the compression function is identical to the random – distinguisher attack; one used in the Grostl algorithm. A detailed analysis of the 2) construct a message that has a given hash value – the Grostl algorithm within the framework of the SHA-3 com- first preimage attack; petition showed that the most effective collision attacks 3) construct a message that has the same hash value as on this hash function with a reduced number of rounds are the known message – the second preimage attack; rebound attacks [7–11]. These attacks use truncated byte 4) construct two messages that have the same hash val- differentials (BDs) or truncated byte differential charac- ue – the collision attack. teristics (BDCs). For the hashing algorithm with the hash code size w, the Thus, the actual problems are, first, the selection of the complexity of the brute force attacks of the first preimage, criteria for these BDs or BDCs for known collision attacks the second preimage, and the collision is 2w, 2w, and 2w/2, and, second, the development of methods for determination respectively. The hashing algorithm provides resistance to of the necessary number of rounds in the hashing algorithms some analytical attacks in the case when the complexity 44 V. Ruzhentsev, Y. Onishchenko, V. Svitlychnyi, 2017 Information and controlling systems of this attack is higher than the complexity of brute force 3. The aim and objectives of the study attacks. Many of attack scenarios on hash functions are similar The aim of this work is to research properties of BDC, to ideas of differential cryptanalysis and can be described which can be used in different kinds of rebound attacks, and in corresponding terms. For example, the problem of to propose the ways of proving the security of Grostl-like constructing a preimage is the problem of finding two hash algorithms against collision rebound attacks. messages which have nonzero input difference and zero To achieve this aim, it is necessary to accomplish the output difference. The problem of constructing a collision following objectives: is the task of finding two messages that have a nonzero – to analyze known collision attacks on Grostl-like difference and their hash codes form a zero difference. The hashing algorithms and detect the necessary conditions for scheme of difference transformation in terms of differen- performing these attacks; tial cryptanalysis is called the differential characteristic, – to determine the boundary numbers of rounds in the or, as in the case of differential attacks on Rijndael-like transformations P and Q, which are necessary to ensure ciphers, the byte differential characteristic (BDC). The security; work [12] is devoted to the analysis of BDCs, byte dif - – to perform a security proving for the Kupyna algo- ferentials and their probabilities for Rijndael-like ciphers. rithm against collision rebound attacks. In [13], an attempt to generalize these results for block ciphers in general was made, and a model of ciphers prov - ably secure against truncated differential attacks was 4. Grostl-like hashing algorithms and proposed. The results obtained in these papers about the the Kupyna algorithm upper bounds of the probabilities of BDCs and byte dif - ferentials can also be used in the security analysis of the The traditional general scheme for generating the hash Grostl-like hashing algorithms. value (Fig. 1) and the compression function scheme from the The absence of unknown keys in hashing algorithms Grostl algorithm [1] (Fig. 2) were taken as a basis for build- makes it possible to begin the right pair searching for the ing the Kupyna algorithm. selected differential or differential characteristics from any m m2 m3 m internal round. Right pair search is the most effective when 1 t it starts from the places where the difference propagation has a low probability. This idea is used in the rebound ϕ ϕ ϕ ϕ attack, which was proposed in [7] during the analysis of IV Ω ... H(M) SHA-3 competition participating algorithms including Grostl. Later, several works offered different improve- Fig. 1. The traditional general scheme for generating the hash ments of this attack. Thus, it was proposed in [8] to con- value sider a two-round Rijndael-like transformation as a set of 32-to-32 bits substitutions. This made it possible to in- crease the number of rounds of the attack. In [9], an “in- mi Q ternal differential” variant of attacks was proposed. This attack used the similarity of the P and Q transformations in the first version of the Grostl algorithm. After the modern- hi-1 P hi ization of the Grostl algorithm (in [1], an improved algo- rithm is presented), the final known variant of the collision attack was proposed in [10]. A fundamentally new scheme Fig. 2. The scheme of compression function ϕ for the Grostl for constructing a rebound attack was proposed in [11]. algorithm The attack from [11] is the most effective for the considered kind of hashing algorithms at the moment. In Fig. 1: The Kupyna hash algorithm [2] was adopted as the mi – blocks of messages; Ukrainian standard DSTU 7564:2014 in 2015. This algo- IV – initial vector; rithm uses base transformations of the Kalyna block cipher φ – compression function; (the Ukrainian standard DSTU 7624:2014). As compared W – the transformation, which consists in discarding the with other hashing algorithms, Kupyna has a high-level upper half of the digits; structure similar to Grostl. Several papers on Kupyna H(M) – hash value. security analysis have already been published [3,4] since In Fig. 2: its adoption. The preimage attack and the collision attack hi – variable, the value of which is obtained by processing performed according to the scheme from [9] were proposed the i-th block of the message, h0=IV; in [3]. Modification of the attack from [9] was also pro- P and Q are Rijndael-like block encryption algorithms, posed in [4]. in which constants are used instead of the round keys. At the same time, the presence of attack descriptions in Rijndael-like ciphers it mean ciphers with four main [3, 4, 7–11] does not answer the questions about the possi- transformations of Rijndael in each round. These trans- ble further improvement of rebound attacks for Grostl-like formations are: byte substitution ByteSub (BS); cyclic hashing algorithms and about the approach to determining shift of rows in the matrix representing the data block by the necessary number of rounds to ensure resistance to these a different number of bytes – ShiftRows (SR); multiplying attacks. The work is devoted to the search for answers to each column of the matrix representing the data block by these questions. a fixed matrix – MixColumns (MC); adding a data block 45 Eastern-European Journal of Enterprise Technologies ISSN 1729-3774 6/9 ( 90 ) 2017 with a subkey of the appropriate size – AddKey.
Load more

Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Cryptanalysis of Block Ciphers with New Design Strategies
    Cryptanalysis of Block Ciphers with New Design Strategies Mohamed Tolba A Thesis in The Concordia Institute for Information Systems Engineering Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy (Information Systems Engineering) at Concordia University Montreal, Quebec, Canada October 2017 ©Mohamed Tolba, 2017 CONCORDIA UNIVERSITY SCHOOL OF GRADUATE STUDIES This is to certify that the thesis prepared By: Mohamed Tolba Entitled: Cryptanalysis of Block Ciphers with New Design Strategies and submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Information Systems Engineering) complies with the regulations of the University and meets the accepted standards with re- spect to originality and quality. Signed by the final examining committee: Chair Dr. Theodore Stathopoulos External Examiner Dr. Huapeng Wu External to Program Dr. Anjali Agarwal Examiner Dr. Lingyu Wang Examiner Dr. Mohammad Mannan Thesis Supervisor Dr. Amr M. Youssef Approved by Dr. Chadi Assi, Graduate Program Director December 4th,2017 Dr. Amir Asif, Dean, Faculty of Engineering and Computer Science Abstract Cryptanalysis of Block Ciphers with New Design Strategies Mohamed Tolba, Ph.D. Concordia University, 2017 Block ciphers are among the mostly widely used symmetric-key cryptographic primitives, which are fundamental building blocks in cryptographic/security systems. Most of the public- key primitives are based on hard mathematical problems such as the integer factorization in the RSA algorithm and discrete logarithm problem in the DiffieHellman. Therefore, their security are mathematically proven. In contrast, symmetric-key primitives are usually not constructed based on well-defined hard mathematical problems. Hence, in order to get some assurance in their claimed security properties, they must be studied against different types of cryptanalytic techniques.
    [Show full text]
  • Efficient Hashing Using the AES Instruction
    Efficient Hashing Using the AES Instruction Set Joppe W. Bos1, Onur Özen1, and Martijn Stam2 1 Laboratory for Cryptologic Algorithms, EPFL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos,onur.ozen}@epfl.ch 2 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom [email protected] Abstract. In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockci- pher with AES, which allows us to exploit the recent AES instruction set (AES- NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL- 256. Although we primarily target architectures supporting AES-NI, our frame- work has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi- block-length hash functions in software. 1 Introduction Historically, the most popular way of constructing a hash function is to iterate a com- pression function that itself is based on a blockcipher (this idea dates back to Ra- bin [49]). This approach has the practical advantage—especially on resource-constrained devices—that only a single primitive is needed to implement two functionalities (namely encrypting and hashing). Moreover, trust in the blockcipher can be conferred to the cor- responding hash function. The wisdom of blockcipher-based hashing is still valid today. Indeed, the current cryptographic hash function standard SHA-2 and some of the SHA- 3 candidates are, or can be regarded as, blockcipher-based designs.
    [Show full text]
  • International Journal of Computer Engineering and Applications, Volume XII, Special Issue, May 18, ISSN 2321-3469
    International Journal of Computer Engineering and Applications, Volume XII, Special Issue, May 18, www.ijcea.com ISSN 2321-3469 PROVIDING RESTRICTIONS AGAINST ATTACK AND CONGESTION CONTROL IN PUBLICINFRASTRUCTURE CLOUD Nousheen R1, Shanmugapriya M2, Sujatha P3,Dhinakaran D4 Student, Computer Science and Engineering, Peri Institute of Technology, Chennai, India 1,2,3 Assistant professor, Computer Science and Engineering, Peri Institute of Technology, Chennai, India 4 ABSTRACT: Cloud computing is current trend in market .It reduce the cost and complexity of service providers by the means of capital and operational cost.It allows users to access application remotely. This construct directs cloud service provider to handle cost of servers, software updates,etc. If the session tokens are not properly protected, an attacker can hijack an active session and assume the identity of a user. To focusing on session hijacking and broken authenticationOTP is generated it will send user mail.Once the user is authenticatedthey will be split into virtual machine it is initiate to the upload process into the cloud.Thecloud user files are uploaded and stored in domain based .Also in our proposed system encryption keys are maintained outside of the IaaS domain.For encryption, we proposed RSA algorithm .For data owner file encryption, we use camellia algorithm. Finally the files are stored in the public cloud named CloudMe. Keywords: Cloud computing, session hijacking, OTP, Virtual machine, Iaas, CloudMe [1] INTRODUCTION Cloud computing is an information technology(IT) standard that enables universal access to share group of configurable system resource and higher-level services that can be quickly provisioned with minimal management effort, often over the internet.
    [Show full text]
  • Analysis of the Kupyna-256 Hash Function
    Analysis OF THE Kupyna-256 Hash Function Christoph DobrAUNIG Maria Eichlseder Florian Mendel FSE 2016 M I T + Permutation-based DESIGN 2 N H −1 H AES-like ROUND TRANSFORMATIONS I T ⊕ I 2 2 N N Similar TO Grøstl Modular ADDITIONS INSIDE www.iaik.tugraz.at The Kupyna Hash Function UkrAINIAN STANDARD DSTU 7564:2014 [Oli+15; Олi+15a] M1 M2 M T IV F F F Ω HASH 2 2 2 N N N N N 2 f256; 512g 1 / 14 www.iaik.tugraz.at The Kupyna Hash Function UkrAINIAN STANDARD DSTU 7564:2014 [Oli+15; Олi+15a] M1 M2 M T IV F F F Ω HASH 2 2 2 N N N N N 2 f256; 512g M I T + Permutation-based DESIGN 2 N H −1 H AES-like ROUND TRANSFORMATIONS I T ⊕ I 2 2 N N Similar TO Grøstl Modular ADDITIONS INSIDE 1 / 14 www.iaik.tugraz.at The Kupyna-256 Round TRANSFORMATIONS Kupyna-512: 8 × 16 state, 14 ROUNDS Kupyna-256: 8 × 8 state, 10 rounds: AddConstant SubBytes ShiftBytes MixBytes f3f3f3f3f3f3f3f3 f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 S + f0f0f0f0f0f0f0f0 T : f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 f¯ı e¯ı d¯ı c¯ı b¯ı a¯ı 9¯ı 8¯ı 0I 1I 2I 3I 4I 5I 6I 7I T ⊕: S R = MB ◦ RB ◦ SB ◦ AC I 2 / 14 Destroys byte-alignment & MDS PROPERTY BrANCH NUMBER OF T + REDUCED FROM 9 TO ≤ 6: MB AC > MB > AC > X1:(00 00 00 00 00 00 00 00) 7−−!(00 00 00 00 00 00 00 00) 7−!(F3 F0 F0 F0 F0 F0 F0 70); > MB > AC > X2:(00 00 00 00 00 00 00 FF) 7−−!(DB C7 38 AB FF 24 FF FF) 7−!(CE B8 29 9C F0 15 F0 70); > MB > AC > ∆:(00 00 00 00 00 00 00FF ) 7−−!(DB C7 38 AB FF 24 FF FF) 7−!(3D 48 D9 6C 00 E5 00 00): www.iaik.tugraz.at Modular Constant Addition Prevent SAME TRAILS FOR T +, T ⊕ Grøstl INSTEAD HAS
    [Show full text]
  • Rotational Rebound Attacks on Reduced Skein
    Rotational Rebound Attacks on Reduced Skein Dmitry Khovratovich1;2, Ivica Nikoli´c1, and Christian Rechberger3 1: University of Luxembourg; 2: Microsoft Research Redmond, USA; 3: Katholieke Universiteit Leuven, ESAT/COSIC, and IBBT, Belgium [email protected], [email protected], [email protected] Abstract. In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different construc- tions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 com- pression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function. The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers. Keywords: Skein, SHA-3, hash function, compression function, cipher, rotational cryptanalysis, rebound attack, distinguisher. 1 Introduction Rotational cryptanalysis and the rebound attack proved to be very effective in the analysis of SHA-3 candidates and related primitives.
    [Show full text]
  • Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
    I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated.
    [Show full text]
  • Minalpher V1.1
    Minalpher v1.1 Designers Yu Sasaki, Yosuke Todo, Kazumaro Aoki, Yusuke Naito, Takeshi Sugawara, Yumiko Murakami, Mitsuru Matsui, Shoichi Hirose Submitters NTT Secure Platform Laboratories, Mitsubishi Electric Corporation, University of Fukui Contact [email protected] Version 1.1: 29 August 2015 Changes From v1.0 to v1.1 { Clarified the handling of illegal input length, specially, when a ciphertext length is not a multiple of a block. { Updated the numbers for software implementation on x86 64. { Added references which are found after the submission of v1.0. { Corrected typos. 2 1 Specification Section 1.1 specifies the mode of operation of Minalpher. Section 1.2 shows the exact parameters in our design. Section 1.3 defines the maximum input message length to Minalpher. Section 1.4 specifies the underlying primitive in Minalpher. 1.1 Mode of Operation Minalpher supports two functionalities: authenticated encryption with associated data (AEAD) and mes- sage authentication code (MAC). In this section, we specify these modes of operation. Subsection 1.1.1 gives notations used in the modes of operation. Subsection 1.1.2 specifies a padding rule used in the modes of operation. Subsection 1.1.3 specifies a primitive which we call tweakable Even- Mansour. The construction dates back to Kurosawa [27, 28], who builds a tweakable block-cipher from a permutation-based block-cipher proposed by Even and Mansour [18]. Tweakable block-ciphers are originated by Liskov, Rivest and Wagner [33]. Subsection 1.1.4 specifies the AEAD mode of operation. Subsection 1.1.5 specifies the MAC mode of operation.
    [Show full text]
  • Cryptanalysis of the Round-Reduced Kupyna Hash Function
    Cryptanalysis of the Round-Reduced Kupyna Hash Function Jian Zou1;2, Le Dong3 1Mathematics and Computer Science of Fuzhou University, Fuzhou, China, 350108 2Key Lab of Information Security of Network Systems (Fuzhou University), Fuzhou, China, China, 350108 3 College of Mathematics and Information Science, Henan Normal University, Xinxiang, China, 453007 [email protected], [email protected] Abstract. The Kupyna hash function was selected as the new Ukrainian standard DSTU 7564:2014 in 2015. It is designed to replace the old In- dependent States (CIS) standard GOST 34.311-95. The Kupyna hash function is an AES-based primitive, which uses Merkle-Damg˚ardcom- pression function based on Even-Mansour design. In this paper, we show the first cryptanalytic attacks on the round-reduced Kupyna hash func- tion. Using the rebound attack, we present a collision attack on 5-round of the Kupyna-256 hash function. The complexity of this collision at- tack is (2120; 264) (in time and memory). Furthermore, we use guess-and- determine MitM attack to construct pseudo-preimage attacks on 6-round Kupyna-256 and Kupyna-512 hash function, respectively. The complex- ity of these preimage attacks are (2250:33; 2250:33) and (2498:33; 2498:33) (in time and memory), respectively. Key words: Kupyna, preimage attack, collision attack, rebound attack, meet-in-the-middle, guess-and-determine 1 Introduction Cryptographic hash functions are playing important roles in the modern cryp- tography. They have many important applications, such as authentication and digital signatures. In general, hash function must satisfy three security require- ments: preimage resistance, second preimage resistance and collision resistance.
    [Show full text]
  • Rebound Attacks on Stribog
    Rebound Attacks on Stribog B Riham AlTawy( ), Aleksandar Kircanski, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montr´eal, QC H4B 1R6, Canada r [email protected] Abstract. In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11–2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 28 and 240, respectively. Finally, the compression function is analyzed and a 7.75 round semi free- start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 50 out of 64 bytes near colliding message pair. Keywords: Cryptanalysis · Hash functions · Meet in the middle · Rebound attack · GOST R 34.11-2012 · Stribog 1 Introduction Wang et al. attacks on MD5 [21] and SHA-1 [20] followed by the SHA-3 compe- tition [3] have led to a flurry in the area of hash function cryptanalysis where different design concepts and various attack strategies were introduced. Many of the proposed attacks were not only targeting basic properties but they also stud- ied any non-ideal behaviour of the hash function, compression function, internal cipher, or the used domain extender.
    [Show full text]
  • CRYPTREC Report 2009 暗号方式委員会報告書
    CRYPTREC Report 2009 平成22年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号方式委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号方式委員会 ················································· 8 1.3 電子政府推奨暗号リスト ········································· 9 1.4 活動の方針 ····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 12 2.3.1 公募の概要 ·············································· 12 2.3.2 2009 年度公募カテゴリ ···································· 12 2.3.3 公募期間 ················································ 13 2.3.4 評価スケジュール ········································ 13 2.3.5 評価項目 ················································ 14 2.3.6 応募暗号技術 ············································ 14 2.3.7 事務局選出技術 ·········································· 15 2.3.8 CRYPTREC シンポジウムの開催 ······························ 15 2.4 CRYPTREC シンポジウム 2010―応募暗号説明会―について ··········· 16 2.4.1 開催目的 ················································ 16 2.4.2 プログラムの概要 ········································ 16 2.4.3 意見・コメントの概要 ····································
    [Show full text]
  • Embeddability Is One of the Most Important Properties for Dedicate Interconnection Networks
    JOURNAL OF INFORMATION SCIENCE AND ENGINEERING XX, XXX-XXX (201X) Cryptanalysis of the Round-Reduced Kupyna 1,2 3 JIAN ZOU , LE DONG 1Mathematics and Computer Science of Fuzhou University, Fuzhou, China, 350108 2Key Lab of Information Security of Network Systems (Fuzhou University), Fuzhou, China, 350108 3 Henan Engineering Laboratory for Big Data Statistical Analysis and Optimal Control, Henan Normal University, Xinxiang, China, 453007 E-mail: {[email protected], [email protected]} Kupyna was approved as the new Ukrainian hash standard in 2015. In this paper, we show several pseudo-preimage attacks and collision attacks on Kupyna. Due to the wide-pipe design, it is hard to construct pseudo-preimage attacks on Kupyna. Combining the meet-in-the-middle attack with the guess-and-determine technique, we propose some pseudo-preimage attacks on the compression function for 5-round Kupyna-256 and 7-round Kupyna-512. The complexities of these two pseudo-preimage attacks are 2229.5 (for 5-round Kupyna-256) and 2499 (for 7-round Kupyna-512) respectively. Regarding the collision attack, we can not only construct a collision attack on the 7-round Kupyna-512 compression function with a complexity of 2159.3, but also construct a colli- sion attack on the 5-round Kupyna-512 hash function with a complexity of 2240. Key words: Kupyna, pseudo-preimage, collision, rebound attack, meet-in-the-middle. 1 INTRODUCTION Cryptographic hash functions are playing important roles in the modern cryptography. In general, hash function must satisfy three security requirements: preimage resistance, second preimage resistance and collision resistance. Regarding the preimage attack, the meet-in-the-middle (MitM) attack proposed by Aoki and Sasaki [1] was a generic method to construct preimage attacks against hash function.
    [Show full text]