15,699 research outputs found
Tag Second-preimage Attack against π-cipher
The π-cipher is one of the candidates of the CAESAR competition. One of the advertised features of the π-cipher is tag second-preimage resistance: it should be hard to generate a message with a given tag, even for the legitimate key holder (insider attack). In this note, we show that the generalized birthday attack of Wagner gives a practical tag second-preimage attack against the π-cipher
A generalized birthday approach for efficiently finding linear relations in l-sequences
Feedback with carry shift registers (FCSRs) have previously been available in two configurations, the Fibonacci and Galois architectures. Recently, a generalized and unifying FCSR structure and theory was presented. The new ring FCSR model repairs some weaknesses of the older architectures. Most notably, the carry cell bias property that was exploited for an attack on the eSTREAM final portfolio cipher F-FCSR-H v2 is no longer possible for the updated (and unbroken) F-FCSR-H v3 stream cipher. In this paper we show how to exploit a particular set of linear relations in ring FCSR sequences. We show what biases can be expected, and we also present a generalized birthday algorithm for actually realizing these relations. As all prerequisites of a distinguishing attack are present, we explicitly show a new such attack on F-FCSR-H v3 with an online time complexity of only 2^{37.2}. The offline time complexity (for finding a linear relation) is 2^{56.2}. This is the first successful attack on F-FCSR-H v3, the first attack to breach the exhaustive search complexity limit. Note that this attack is completely different from that of F-FCSR-H v2. We focus on this particular application in the paper, but the presented algorithm is actually very general. The algorithm can be applied to any FCSR automaton, so linearly filtered FCSRs and FCSR combiners may be particularly interesting targets for cryptanalysis
On the Security of NMAC and Its Variants
We first propose a general equivalent key recovery attack to a -MAC
variant NMAC, which is also provable secure, by applying a generalized birthday attack. Our
result shows that NMAC, even instantiated with a secure Merkle-DamgĂĄrd hash function, is
not secure. We further show that this equivalent key recovery attack to NMAC
is also applicable to NMAC for recovering the equivalent inner key of NMAC, in a related key
setting. We propose and analyze a series of NMAC variants with different secret approaches and
key distributions, we find that a variant NMAC-E, with secret envelop approach, can withstand
most of the known attacks in this paper. However, all variants including NMAC itself, are vulnerable
to on-line birthday attack for verifiable forgery. Hence, the underlying cryptographic hash functions,
based on Merkle-DamgĂĄrd construction, should be re-evaluated seriously
A Discrete Logarithm-based Approach to Compute Low-Weight Multiples of Binary Polynomials
Being able to compute efficiently a low-weight multiple of a given binary
polynomial is often a key ingredient of correlation attacks to LFSR-based
stream ciphers. The best known general purpose algorithm is based on the
generalized birthday problem. We describe an alternative approach which is
based on discrete logarithms and has much lower memory complexity requirements
with a comparable time complexity.Comment: 12 page
Parallel cryptanalysis
Most of today’s cryptographic primitives are based on computations that are hard to perform for a potential attacker but easy to perform for somebody who is in possession of some secret information, the key, that opens a back door in these hard computations and allows them to be solved in a small amount of time. To estimate the strength of a cryptographic primitive it is important to know how hard it is to perform the computation without knowledge of the secret back door and to get an understanding of how much money or time the attacker has to spend. Usually a cryptographic primitive allows the cryptographer to choose parameters that make an attack harder at the cost of making the computations using the secret key harder as well. Therefore designing a cryptographic primitive imposes the dilemma of choosing the parameters strong enough to resist an attack up to a certain cost while choosing them small enough to allow usage of the primitive in the real world, e.g. on small computing devices like smart phones. This thesis investigates three different attacks on particular cryptographic systems: Wagner’s generalized birthday attack is applied to the compression function of the hash function FSB. Pollard’s rho algorithm is used for attacking Certicom’s ECC Challenge ECC2K-130. The implementation of the XL algorithm has not been specialized for an attack on a specific cryptographic primitive but can be used for attacking some cryptographic primitives by solving multivariate quadratic systems. All three attacks are general attacks, i.e. they apply to various cryptographic systems; the implementations of Wagner’s generalized birthday attack and Pollard’s rho algorithm can be adapted for attacking other primitives than those given in this thesis. The three attacks have been implemented on different parallel architectures. XL has been parallelized using the Block Wiedemann algorithm on a NUMA system using OpenMP and on an Infiniband cluster using MPI. Wagner’s attack was performed on a distributed system of 8 multi-core nodes connected by an Ethernet network. The work on Pollard’s Rho algorithm is part of a large research collaboration with several research groups; the computations are embarrassingly parallel and are executed in a distributed fashion in several facilities with almost negligible communication cost. This dissertation presents implementations of the iteration function of Pollard’s Rho algorithm on Graphics Processing Units and on the Cell Broadband Engine
A New Algorithm for Solving Ring-LPN with a Reducible Polynomial
The LPN (Learning Parity with Noise) problem has recently proved to be of
great importance in cryptology. A special and very useful case is the RING-LPN
problem, which typically provides improved efficiency in the constructed
cryptographic primitive. We present a new algorithm for solving the RING-LPN
problem in the case when the polynomial used is reducible. It greatly
outperforms previous algorithms for solving this problem. Using the algorithm,
we can break the Lapin authentication protocol for the proposed instance using
a reducible polynomial, in about 2^70 bit operations
Combinatorics on words in information security: Unavoidable regularities in the construction of multicollision attacks on iterated hash functions
Classically in combinatorics on words one studies unavoidable regularities
that appear in sufficiently long strings of symbols over a fixed size alphabet.
In this paper we take another viewpoint and focus on combinatorial properties
of long words in which the number of occurrences of any symbol is restritced by
a fixed constant. We then demonstrate the connection of these properties to
constructing multicollision attacks on so called generalized iterated hash
functions.Comment: In Proceedings WORDS 2011, arXiv:1108.341
- …