69 research outputs found
A SAT-based preimage analysis of reduced KECCAK hash functions
In this paper, we present a preimage attack on reduced versions of Keccak hash functions. We use our recently developed toolkit
CryptLogVer for generating CNF (conjunctive normal form) which is
passed to the SAT solver PrecoSAT. We found preimages for some
reduced versions of the function and showed that full Keccak function
is secure against the presented attack
Security of the SHA-3 candidates Keccak and Blue Midnight Wish: Zero-sum property
The SHA-3 competition for the new cryptographic standard was initiated by National Institute of Standards and Technology (NIST) in 2007. In the following years, the event grew to one of the top areas currently being researched by the CS and cryptographic communities. The first objective of this thesis is to overview, analyse, and critique the SHA-3 competition. The second one is to perform an in-depth study of the security of two candidate hash functions, the finalist Keccak and the second round candidate Blue Midnight Wish. The study shall primarily focus on zero-sum distinguishers. First we attempt to attack reduced versions of these hash functions and see if any vulnerabilities can be detected. This is followed by attacks on their full versions. In the process, a novel approach is utilized in the search of zero-sum distinguishers by employing SAT solvers. We conclude that while such complex attacks can theoretically uncover undesired properties of the two hash functions presented, such attacks are still far from being fully realized due to current limitations in computing power
Preimage Attacks on 4-round Keccak by Solving Multivariate Quadratic Systems
In this paper, we present preimage attacks on 4-round Keccak-224/256 as well as 4-round Keccak[] in the preimage challenges. We revisit the Crossbred algorithm for solving the Boolean multivariate quadratic (MQ) system, propose a new view for the case and elaborate the computational complexity. The result shows that the Crossbred algorithm outperforms brute force theoretically and practically with feasible memory costs. In our attacks, we construct Boolean MQ systems in order to make full use of variables. With the help of solving MQ systems, we successfully improve preimage attacks on Keccak-224/256 reduced to 4 rounds. Moreover, we implement the preimage attack on 4-round Keccak[], an instance in the Keccak preimage challenges, and find 78-bit matched \textit{near preimages}. Due to the fundamental rule of solving MQ systems, the complexity elaboration of Crossbred algorithm is of independent interest
Cryptanalysis of 1-Round KECCAK
In this paper, we give the first pre-image attack against 1- round KECCAK-512 hash function, which works for all variants of 1- round KECCAK. The attack gives a preimage of length less than 1024 bits by solving a system of 384 linear equations. We also give a collision attack against 1-round KECCAK using similar analysis
Preimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis
In this paper we use differential cryptanalysis to attack the winner of the SHA-3 competition, namely Keccak hash function. Despite more than 6 years of intensive cryptanalysis there have been known only two preimage attacks which reach 3 (or slightly more) rounds. Our 3-round preimage attack improves the complexity of those two existing attacks and it is obtained with a different technique. We also show the partial preimage attack on the 4-round Keccak, exploiting two properties of the linear step of the Keccak-f permutation
Quantum Algorithms for Boolean Equation Solving and Quantum Algebraic Attack on Cryptosystems
Decision of whether a Boolean equation system has a solution is an NPC
problem and finding a solution is NP hard. In this paper, we present a quantum
algorithm to decide whether a Boolean equation system FS has a solution and
compute one if FS does have solutions with any given success probability. The
runtime complexity of the algorithm is polynomial in the size of FS and the
condition number of FS. As a consequence, we give a polynomial-time quantum
algorithm for solving Boolean equation systems if their condition numbers are
small, say polynomial in the size of FS. We apply our quantum algorithm for
solving Boolean equations to the cryptanalysis of several important
cryptosystems: the stream cipher Trivum, the block cipher AES, the hash
function SHA-3/Keccak, and the multivariate public key cryptosystems, and show
that they are secure under quantum algebraic attack only if the condition
numbers of the corresponding equation systems are large. This leads to a new
criterion for designing cryptosystems that can against the attack of quantum
computers: their corresponding equation systems must have large condition
numbers
TurboSHAKE
In a recent presentation, we promoted the use of 12-round instances of Keccak, collectively called “TurboSHAKE”, in post-quantum cryptographic schemes, but without defining them further. The goal of this note is to fill this gap: The definition of the TurboSHAKE family simply consists in exposing and generalizing the primitive already defined inside KangarooTwelve
Automatic Preimage Attack Framework on Ascon Using a Linearize-and-Guess Approach
Ascon is the final winner of the lightweight cryptography standardization competition (2018 − 2023). In this paper, we focus on preimage attacks against round-reduced Ascon. The preimage attack framework, utilizing the linear structure with the allocating model, was initially proposed by Guo et al. at ASIACRYPT 2016 and subsequently improved by Li et al. at EUROCRYPT 2019, demonstrating high effectiveness in breaking the preimage resistance of Keccak. In this paper, we extend this preimage attack framework to Ascon from two aspects. Firstly, we propose a linearize-and-guess approach by analyzing the algebraic properties of the Ascon permutation. As a result, the complexity of finding a preimage for 2-round Ascon-Xof with a 64-bit hash value can be significantly reduced from 239 guesses to 227.56 guesses. To support the effectiveness of our approach, we find an actual preimage of all ‘0’ hash in practical time. Secondly, we develop a SAT-based automatic preimage attack framework using the linearize-and-guess approach, which is efficient to search for the optimal structures exhaustively. Consequently, we present the best theoretical preimage attacks on 3-round and 4-round Ascon-Xof so far
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak
In this paper, we analyze the security of round-reduced versions of the Keccak hash function family. Based on the work pioneered by Aumasson and Meier, and Dinur et al., we formalize and develop a technique named linear structure, which allows linearization of the underlying permutation of Keccak for up to 3 rounds with large number of variable spaces. As a direct application, it extends the best zero-sum distinguishers by 2 rounds without increasing the complexities. We also apply linear structures to preimage attacks against Keccak. By carefully studying the properties of the underlying Sbox, we show bilinear structures and find ways to convert the information on the output bits to linear functions on input bits. These findings, combined with linear structures, lead us to preimage attacks against up to 4-round Keccak with reduced complexities. An interesting feature of such preimage attacks is low complexities for small variants. As extreme examples, we can now find preimages of 3-round SHAKE128 with complexity 1, as well as the first practical solutions to two 3-round instances of Keccak challenge. Both zero-sum distinguishers and preimage attacks are verified by implementations. It is noted that the attacks here are still far from threatening the security of the full 24-round Keccak
- …