352,197 research outputs found
New Data-Efficient Attacks on Reduced-Round IDEA
IDEA is a 64-bit block cipher with 128-bit keys which is widely
used due to its inclusion in several cryptographic packages such
as PGP. After its introduction by Lai and Massey in 1991, it was
subjected to an extensive cryptanalytic effort, but so far the largest
variant on which there are any published attacks contains only 6
of its 8.5-rounds. The first 6-round attack, described in the
conference version of this paper in 2007, was extremely marginal:
It required essentially the entire codebook, and saved only a
factor of 2 compared to the time complexity of exhaustive
search. In 2009, Sun and Lai reduced the data complexity of the 6-round attack from 2^{64} to 2^{49} chosen plaintexts and simultaneously reduced the time complexity from 2^{127} to 2^{112.1} encryptions. In this revised version of our paper, we combine a highly optimized meet-in-the-middle attack with a keyless version of the Biryukov-Demirci relation to obtain new key recovery attacks on
reduced-round IDEA, which dramatically reduce their data complexities and increase the number of rounds to which they are applicable. In the case of 6-round IDEA, we need only two known plaintexts (the minimal number of 64-bit messages required to determine a 128-bit key) to perform full key recovery in 2^{123.4} time. By increasing the number of known plaintexts to sixteen, we can reduce the time complexity to 2^{111.9}, which is slightly faster than the Sun and Lai data-intensive attack. By increasing the number of plaintexts to about one thousand, we can now attack 6.5 rounds of IDEA, which could not be attacked by any previously published technique. By pushing our techniques to extremes, we can attack 7.5 rounds using 2^{63} plaintexts and 2^{114} time, and by using an optimized version of a distributive attack, we can reduce the time complexity of exhaustive
search on the full 8.5-round IDEA to 2^{126.8} encryptions using only 16 plaintexts
Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on round-reduced AES
At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES -- based on the “multiple-of-8” property -- has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher.
In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AES-like ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds).
Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher -- which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) -- can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the
distinguisher and of the attack.
As a second contribution, we show how to combine this new 4-round distinguisher with a modified version of a truncated differential distinguisher in order to set up new 5-round distinguishers, that exploit properties which are independent of the secret key, of the details of the S-Box and of the MixColumns matrix. As a result, while a “classical” truncated differential distinguisher exploits the probability that a couple of texts satisfies or not a given differential trail independently of the others couples, our distinguishers work with sets of N >> 1 (related) couples of texts. In particular, our new 5-round AES distinguishers exploit the fact that such sets of texts satisfy some properties with a different probability than a random permutation.
Even if such 5-round distinguishers have higher complexity than e.g. the “multiple-of-8” one present in the literature, one of them can be used as starting point to set up the first key-recovery attack on 6-round AES that exploits directly a 5-round secret-key distinguisher. The goal of this paper is indeed to present and explore new approaches, showing that even a distinguisher like the one presented at Eurocrypt -- believed to be hard to exploit - can be used to set up a key-recovery attack
Cryptanalysis of Some AES-based Cryptographic Primitives
Current information security systems rely heavily on symmetric key cryptographic primitives
as one of their basic building blocks. In order to boost the efficiency of the security systems, designers
of the underlying primitives often tend to avoid the use of provably secure designs. In fact, they adopt
ad hoc designs with claimed security assumptions in the hope that they resist known cryptanalytic
attacks. Accordingly, the security evaluation of such primitives continually remains an open field. In
this thesis, we analyze the security of two cryptographic hash functions and one block cipher. We
primarily focus on the recent AES-based designs used in the new Russian Federation cryptographic
hashing and encryption suite GOST because the majority of our work was carried out during the open
research competition run by the Russian standardization body TC26 for the analysis of their new
cryptographic hash function Streebog. Although, there exist security proofs for the resistance of AES-
based primitives against standard differential and linear attacks, other cryptanalytic techniques such as
integral, rebound, and meet-in-the-middle attacks have proven to be effective. The results presented in
this thesis can be summarized as follows:
Initially, we analyze various security aspects of the Russian cryptographic hash function GOST
R 34.11-2012, also known as Streebog or Stribog. In particular, our work investigates five security
aspects of Streebog. Firstly, we present a collision analysis of the compression function and its in-
ternal cipher in the form of a series of modified rebound attacks. Secondly, we propose an integral
distinguisher for the 7- and 8-round compression function. Thirdly, we investigate the one wayness of Streebog with respect to two approaches of the meet-in-the-middle attack, where we present a
preimage analysis of the compression function and combine the results with a multicollision attack
to generate a preimage of the hash function output. Fourthly, we investigate Streebog in the context
of malicious hashing and by utilizing a carefully tailored differential path, we present a backdoored
version of the hash function where collisions can be generated with practical complexity. Lastly, we
propose a fault analysis attack which retrieves the inputs of the compression function and utilize it to
recover the secret key when Streebog is used in the keyed simple prefix and secret-IV MACs, HMAC,
or NMAC. All the presented results are on reduced round variants of the function except for our analysis
of the malicious version of Streebog and our fault analysis attack where both attacks cover the full
round hash function.
Next, we examine the preimage resistance of the AES-based Maelstrom-0 hash function which is
designed to be a lightweight alternative to the ISO standardized hash function Whirlpool. One of the
distinguishing features of the Maelstrom-0 design is the proposal of a new chaining construction called
3CM which is based on the 3C/3C+ family. In our analysis, we employ a 4-stage approach that uses
a modified technique to defeat the 3CM chaining construction and generates preimages of the 6-round
reduced Maelstrom-0 hash function.
Finally, we provide a key recovery attack on the new Russian encryption standard GOST R 34.12-
2015, also known as Kuznyechik. Although Kuznyechik adopts an AES-based design, it exhibits a
faster diffusion rate as it employs an optimal diffusion transformation. In our analysis, we propose
a meet-in-the-middle attack using the idea of efficient differential enumeration where we construct
a three round distinguisher and consequently are able to recover 16-bytes of the master key of the
reduced 5-round cipher. We also present partial sequence matching, by which we generate, store, and
match parts of the compared parameters while maintaining negligible probability of matching error,
thus the overall online time complexity of the attack is reduced
Linear cryptanalysis of pseudorandom functions
RelatĂłrio de projeto de pesquisa.In this paper, we study linear relations propagating across block ciphers from the key input to the ciphertext (for a fixed plaintext block). This is a usual setting of a one-way function, used for instance in modes of operation such as KFB (key feedback). We instantiate the block cipher with the full 16-round DES and -DES, 10-round LOKI91 and 24-round Khufu, for which linear relations with high bias are well known. Other interesting targets include the full 8.5-round IDEA and PES ciphers for which high bias linear relations exist under the assumption of weak keys. Consequences of these findings impact the security of modes of operation such as KFB and of pseudorandom number/bit generators. These analyses were possible due to the linear structure and the poor diffusion of the key schedule algorithms. These findings shall motivate carefull (re)design of current and future key schedule algorithms
A Meaningful MD5 Hash Collision Attack
It is now proved by Wang et al., that MD5 hash is no more secure, after they proposed an attack that would generate two different messages that gives the same MD5 sum. Many conditions need to be satisfied to attain this collision. Vlastimil Klima then proposed a more efficient and faster technique to implement this attack. We use these techniques to first create a collision attack and then use these collisions to implement meaningful collisions by creating two different packages that give identical MD5 hash, but when extracted, each gives out different files with contents specified by the atacker
- …