Methods for Collisions in Some Algebraic Hash Functions

This paper focuses on devising methods for producing collisions in algebraic hash functions that may be seen as generalized forms of the well-known Z\'emor and Tillich-Z\'emor hash functions. In contrast to some of the previous approaches, we attempt to construct collisions in a structured and deterministic manner by constructing messages with triangular or diagonal hashes messages. Our method thus provides an alternate deterministic approach to the method for finding triangular hashes. We also consider the generalized Tillich-Z\'emor hash functions over ${\mathbb{F}_p}^k$ for $p\neq 2$, relating the generator matrices to a polynomial recurrence relation, and derive a closed form for any arbitrary power of the generators. We then provide conditions for collisions, and a method to maliciously design the system so as to facilitate easy collisions, in terms of this polynomial recurrence relation. Our general conclusion is that it is very difficult in practice to achieve the theoretical collision conditions efficiently, in both the generalized Z\'emor and the generalized Tillich-Z\'emor cases. Therefore, although the techniques are interesting theoretically, in practice the collision-resistance of the generalized Z\'emor functions is reinforced

Some applications of noncommutative groups and semigroups to information security

We present evidence why the Burnside groups of exponent 3 could be a good candidate for a platform group for the HKKS semidirect product key exchange protocol. We also explore hashing with matrices over SL2(Fp), and compute bounds on the girth of the Cayley graph of the subgroup of SL2(Fp) for specific generators A, B. We demonstrate that even without optimization, these hashes have comparable performance to hashes in the SHA family

Hardware Implementations of a Variant of the Zémor-Tillich Hash Function: Can a Provably Secure Hash Function be very efficient ?

Hash functions are widely used in Cryptography, and hardware implementations of hash functions are of interest in a variety of contexts such as speeding up the computations of a network server or providing authentication in small electronic devices such as RFID tags. Provably secure hash functions, the security of which relies on the hardness of a mathematical problem, are particularly appealing for security, but they used to be too inefficient in practice. In this paper, we study the efficiency in hardware of ZT\u27, a provably secure hash function based on the Zémor-Tillich hash function. We consider three kinds of implementations targeting a high throughput and a low area in different ways. We first present a high-speed implementation of ZT\u27 on FPGA that is nearly half as efficient as state-of-the-art SHA implementations in terms of throughput per area. We then focus on area reduction and present an ASIC implementation of ZT\u27 with much smaller area costs than SHA-1 and even than SQUASH, which was specially designed for low-cost RFID tags. Between these two extreme implementations, we show that the throughput and area can be traded with a lot of flexibility. Finally, we show that the inherent parallelism of ZT\u27 makes it particularly suitable for applications requiring high speed hashing of very long messages. Our work, together with existing reasonably efficient software implementations, shows that this variant of the Zémor-Tillich hash function is in fact very practical for a wide range of applications, while having a security related to the hardness of a mathematical problem and significant additional advantages such as scalability and parallelism

Securing Update Propagation with Homomorphic Hashing

In database replication, ensuring consistency when propagating updates is a challenging and extensively studied problem. However, the problem of securing update propagation against malicious adversaries has received less attention in the literature. This consideration becomes especially relevant when sending updates across a large network of untrusted peers. In this paper we formalize the problem of secure update propagation and propose a system that allows a centralized distributor to propagate signed updates across a network while adding minimal overhead to each transaction. We show that our system is secure (in the random oracle model) against an attacker who can maliciously modify any update and its signature. Our approach relies on the use of a cryptographic primitive known as homomorphic hashing, introduced by Bellare, Goldreich, and Goldwasser. We make our study of secure update propagation concrete with an instantiation of the lattice-based homomorphic hash LtHash of Bellare and Miccancio. We provide a detailed security analysis of the collision resistance of LtHash, and we implement Lthash using a selection of parameters that gives at least 200 bits of security. Our implementation has been deployed to secure update propagation in production at Facebook, and is included in the Folly open-source library

Cryptanalysis of a digital signature scheme of W. He.

Wong, Chun Kuen.Thesis (M.Phil.)--Chinese University of Hong Kong, 2002.Includes bibliographical references (leaves 43-45).Abstracts in English and Chinese.Chapter 1 --- Introduction --- p.1Chapter 1.1 --- Origin of The First Digital Signature Scheme --- p.2Chapter 1.2 --- On the security of digital signature schemes --- p.3Chapter 1.3 --- Organization of the Thesis --- p.4Chapter 2 --- Mathematical Background --- p.6Chapter 2.1 --- Divisibility --- p.6Chapter 2.2 --- Prime --- p.7Chapter 2.3 --- Modular arithmetic --- p.7Chapter 2.4 --- Congruence --- p.7Chapter 2.5 --- Greatest Common Divisor --- p.7Chapter 2.6 --- Integers modulo n --- p.8Chapter 2.7 --- Inverse --- p.8Chapter 2.8 --- Division in Zn --- p.8Chapter 2.9 --- Order of element --- p.8Chapter 2.10 --- Euclidean Algorithm --- p.9Chapter 2.11 --- Extended Euclidean Algorithm --- p.9Chapter 2.12 --- Chinese Remainder Theorem --- p.10Chapter 2.13 --- Relatively Prime --- p.10Chapter 2.14 --- Euler Totient Function --- p.10Chapter 2.15 --- Fermat's Little Theorem --- p.11Chapter 2.16 --- Euler's Theorem --- p.11Chapter 2.17 --- Square root --- p.12Chapter 2.18 --- Quadratic residue --- p.12Chapter 2.19 --- Legendre Symbol --- p.13Chapter 2.20 --- Jacobi Symbol --- p.14Chapter 2.21 --- Blum Integer --- p.15Chapter 2.22 --- The Factoring Problem --- p.16Chapter 2.23 --- The Discrete Logarithm Problem --- p.17Chapter 2.24 --- One-way Hash Function --- p.17Chapter 3 --- Survey of digital signature schemes --- p.19Chapter 3.1 --- The RSA signature scheme --- p.19Chapter 3.1.1 --- Key generation in the RSA signature scheme --- p.20Chapter 3.1.2 --- Signature generation in the RSA signature scheme --- p.20Chapter 3.1.3 --- Signature verification in the RSA signature scheme --- p.20Chapter 3.1.4 --- On the security of the RSA signature scheme --- p.21Chapter 3.2 --- The ElGamal signature scheme --- p.22Chapter 3.2.1 --- Key generation in the ElGamal signature scheme --- p.23Chapter 3.2.2 --- Signature generation in the ElGamal signature scheme --- p.23Chapter 3.2.3 --- Signature verification in the ElGamal signature scheme --- p.23Chapter 3.2.4 --- On the security of the ElGamal signature scheme --- p.24Chapter 3.3 --- The Schnorr signature scheme --- p.26Chapter 3.3.1 --- Key generation in the Schnorr signature scheme --- p.26Chapter 3.3.2 --- Signature generation in the Schnorr signature scheme --- p.26Chapter 3.3.3 --- Signature verification in the Schnorr signature scheme --- p.27Chapter 3.3.4 --- Discussion --- p.27Chapter 3.4 --- Digital signature schemes based on both the factoring and discrete logarithm problems --- p.27Chapter 3.4.1 --- The Brickell-McCurley signature scheme --- p.28Chapter 3.4.2 --- The Okamoto signature scheme --- p.29Chapter 3.4.3 --- The Harn signature scheme --- p.30Chapter 3.4.4 --- The Shao signature scheme --- p.30Chapter 3.4.5 --- The W. He signature scheme --- p.31Chapter 4 --- Cryptanalysis of the digital signature scheme of W. He --- p.32Chapter 4.1 --- The Digital Signature Scheme of W. He --- p.33Chapter 4.1.1 --- System setup in the W. He Digital Signature Scheme --- p.33Chapter 4.1.2 --- Key generation in the W. He Digital Signature Scheme --- p.34Chapter 4.1.3 --- Signature generation in the W. He Digital Signature Scheme --- p.34Chapter 4.1.4 --- Signature verification in the W. He Digital Signature Scheme --- p.34Chapter 4.2 --- Cryptanalysis of the digital signature scheme of W. He --- p.35Chapter 4.2.1 --- Theorems on the security of the digital signature scheme of W. He --- p.35Chapter 4.2.2 --- Signature Forgery in the digital signature scheme of W. He --- p.37Chapter 4.2.3 --- Remedy --- p.40Chapter 5 --- Conclusions --- p.41Bibliography --- p.4

Cryptographic Hash Functions in Groups and Provable Properties

We consider several "provably secure" hash functions that compute simple sums in a well chosen group (G,*). Security properties of such functions provably translate in a natural way to computational problems in G that are simple to define and possibly also hard to solve. Given k disjoint lists Li of group elements, the k-sum problem asks for gi ∊ Li such that g1 * g2 *...* gk = 1G. Hardness of the problem in the respective groups follows from some "standard" assumptions used in public-key cryptology such as hardness of integer factoring, discrete logarithms, lattice reduction and syndrome decoding. We point out evidence that the k-sum problem may even be harder than the above problems. Two hash functions based on the group k-sum problem, SWIFFTX and FSB, were submitted to NIST as candidates for the future SHA-3 standard. Both submissions were supported by some sort of a security proof. We show that the assessment of security levels provided in the proposals is not related to the proofs included. The main claims on security are supported exclusively by considerations about available attacks. By introducing "second-order" bounds on bounds on security, we expose the limits of such an approach to provable security. A problem with the way security is quantified does not necessarily mean a problem with security itself. Although FSB does have a history of failures, recent versions of the two above functions have resisted cryptanalytic efforts well. This evidence, as well as the several connections to more standard problems, suggests that the k-sum problem in some groups may be considered hard on its own, and possibly lead to provable bounds on security. Complexity of the non-trivial tree algorithm is becoming a standard tool for measuring the associated hardness. We propose modifications to the multiplicative Very Smooth Hash and derive security from multiplicative k-sums in contrast to the original reductions that related to factoring or discrete logarithms. Although the original reductions remain valid, we measure security in a new, more aggressive way. This allows us to relax the parameters and hash faster. We obtain a function that is only three times slower compared to SHA-256 and is estimated to offer at least equivalent collision resistance. The speed can be doubled by the use of a special modulus, such a modified function is supported exclusively by the hardness of multiplicative k-sums modulo a power of two. Our efforts culminate in a new multiplicative k-sum function in finite fields that further generalizes the design of Very Smooth Hash. In contrast to the previous variants, the memory requirements of the new function are negligible. The fastest instance of the function expected to offer 128-bit collision resistance runs at 24 cycles per byte on an Intel Core i7 processor and approaches the 17.4 figure of SHA-256. The new functions proposed in this thesis do not provably achieve a usual security property such as preimage or collision resistance from a well-established assumption. They do however enjoy unconditional provable separation of inputs that collide. Changes in input that are small with respect to a well defined measure never lead to identical output in the compression function

On Message Authentication in 4G LTE System

After decades of evolution, the cellular system has become an indispensable part of modern life. Together with the convenience brought by the cellular system, many security issues have arisen. Message integrity protection is one of the urgent problems. The integrity of a message is usually protected by message authentication code (MAC). Forgery attacks are the primary threat to message integrity. By Simon's definition, forgery is twofold. The first is impersonation forgery, in which the opponent can forge a MAC without knowing any message-MAC pairs. The second is substitution forgery, in which the opponent can forge a MAC by knowing certain message-MAC pairs. In the 4G LTE system, MAC is applied not only to RRC control messages and user data, but also to authentication of the identities in the radio network during the authentication and key agreement (AKA) procedure. There is a set of functions used in AKA, which is called A3/A8. Originally, only one cipher suite called MILENAGE followed the definition of A3/A8. Recently, Vodafone has proposed another candidate called TUAK. This thesis first analyzes a MAC algorithm of the 4G LTE system called EIA1. The analysis shows that because of its linear structure, given two valid message-MAC pairs generated by EIA1, attackers can forge up to $2^{32}$ valid MACs by the algorithm called linear forgery attack proposed in this thesis. This thesis also proposes a well-designed scenario, in which attackers can apply the linear forgery attack to the real system. The second work presented in this thesis fixes the gap between the almost XOR universal property and the substitution forgery probability, and assesses the security of EIA1 under different attack models. After the security analysis, an optimized EIA1 using an efficient polynomial evaluation method is proposed. This polynomial evaluation method is analog to the fast Fourier transform. Compared with Horner's rule, which is used in the official implementation of EIA1, this method reduces the number of multiplications over finite field dramatically. The improvement is shown by the experiment results, which suggests that the optimized code is much faster than the official implementation, and the polynomial evaluation method is better than Horner's rule. The third work in this thesis assesses the security of TUAK, and proves TUAK is a secure algorithm set, which means $f_1$, $f_1^*$, and $f_2$ are resistant to forgery attacks, and key recovery attacks; $f_3$ - $f_5$, and $f_5^*$ are resistant to key recovery attacks and collision. A novel technique called multi-output filtering model is proposed in this work in order to study the non-randomness property of TUAK and other cryptographic primitives, such as AES, KASUMI, and PRESENT. A multi-output filtering model consists of a linear feedback shift register (LFSR) and a multi-output filtering function. The contribution of this research is twofold. First, an attack technique under IND-CPA using the multi-output filtering model is proposed. By introducing a distinguishing function, we theoretically determine the success rate of this attack. In particular, we construct a distinguishing function based on the distribution of the linear complexity of component sequences, and apply it on studying TUAK's $f_1$ algorithm, AES, KASUMI and PRESENT. The experiments demonstrate that the success rate of the attack on KASUMI and PRESENT is non-negligible, but $f_1$ and AES are resistant to this attack. Second, this research studies the distribution of the cryptographic properties of component functions of a random primitive in the multi-output filtering model. The experiments show some non-randomness in the distribution of the algebraic degree and nonlinearity for KASUMI. The last work is constructing two MACs. The first MAC called WGIA-128 is a variant of EIA1, and requires the underlying stream cipher to generate uniform distributed key streams. WG-16, a stream cipher with provable security, is a good choice to be the underlying cipher of WGIA-128 because it satisfies the requirement. The second MAC called AMAC is constructed upon APN functions. we propose two different constructions of AMAC, and both of these two constructions have provable security. The probability of substitution forgery attacks against both constructions of AMAC is upper bounded by a negligible value. Compared with EIA1 and EIA3, two message authentication codes used in the 4G LTE system, both constructions of AMAC are slower than EIA3, but much faster than EIA1. Moreover, both constructions of AMAC are resistant to cycling and linear forgery attacks, which can be applied to both EIA1 and EIA3

Cryptanalysis and Design of Symmetric Primitives

Der Schwerpunkt dieser Dissertation liegt in der Analyse und dem Design von Block- chiffren und Hashfunktionen. Die Arbeit beginnt mit einer Einführung in Techniken zur Kryptoanalyse von Blockchiffren. Wir beschreiben diese Methoden und zeigen wie man daraus neue Techniken entwickeln kann, welche zu staerkeren Angriffen fuehren. Im zweiten Teil der Arbeit stellen wir eine Reihe von Angriffen auf eine Vielzahl von Blockchiffren dar. Wir haben dabei Angriffe auf reduzierte Versionen von ARIA und dem AES entwickelt. Darueber hinaus praesentieren wir im dritten Teil Angriffe auf interne Blockchiffren von Hashfunktionen. Wir entwickeln Angriffe, welche die inter- nen Blockchiffren von Tiger und HAS-160 auf volle Rundenanzahl brechen. Die hier vorgestellten Angriffe sind die ersten dieser Art. Ein Angriff auf eine reduzierte Ver- sion von SHACAL-2 welcher fast keinen Speicherbedarf hat, wird ebenfalls vorgestellt. Der vierte Teil der Arbeit befasst sich mit den Design und der Analyse von kryp- tographischen Hashfunktionen. Wir habe einen Slide Angriff, eine Technik welche aus der Analyse von Blockchiffren bekannt ist, im Kontext von Hashfunktionen zur Anwendung gebracht. Dabei praesentieren wir verschiedene Angriffe auf GRINDAHL und RADIOGATUN. Aufbauend auf den Angriffen des zweiten und dritten Teils dieser Arbeit stellen wir eine neue Hashfunktion vor, welche wir TWISTER nennen. TWISTER wurde fuer den SHA-3 Wettbewerb entwickelt und ist bereits zur ersten Runde angenommen.This thesis focuses on the cryptanalysis and the design of block ciphers and hash func- tions. The thesis starts with an overview of methods for cryptanalysis of block ciphers which are based on differential cryptanalysis. We explain these concepts and also sev- eral combinations of these attacks. We propose new attacks on reduced versions of ARIA and AES. Furthermore, we analyze the strength of the internal block ciphers of hash functions. We propose the first attacks that break the internal block ciphers of Tiger, HAS-160, and a reduced round version of SHACAL-2. The last part of the thesis is concerned with the analysis and the design of cryptographic hash functions. We adopt a block cipher attack called slide attack into the scenario of hash function cryptanalysis. We then use this new method to attack different variants of GRINDAHL and RADIOGATUN. Finally, we propose a new hash function called TWISTER which was designed and pro- posed for the SHA-3 competition. TWISTER was accepted for round one of this com- petition. Our approach follows a new strategy to design a cryptographic hash function. We also describe several attacks on TWISTER and discuss the security issues concern- ing these attack on TWISTER

Computational Approaches to Problems in Noncommutative Algebra -- Theory, Applications and Implementations

Noncommutative rings appear in several areas of mathematics. Most prominently, they can be used to model operator equations, such as differential or difference equations. In the Ph.D. studies leading to this thesis, the focus was mainly on two areas: Factorization in certain noncommutative domains and matrix normal forms over noncommutative principal ideal domains. Regarding the area of factorization, we initialize in this thesis a classification of noncommutative domains with respect to the factorization properties of their elements. Such a classification is well established in the area of commutative integral domains. Specifically, we define conditions to identify so-called finite factorization domains, and discover that the ubiquitous G-algebras are finite factorization domains. We furthermore realize a practical factorization algorithm applicable to G-algebras, with minor assumptions on the underlying field. Since the generality of our algorithm comes with the price of performance, we also study how it can be optimized for specific domains. Moreover, all of these factorization algorithms are implemented. However, it turns out that factorization is difficult for many types of noncommutative rings. This observation leads to the adjunct examination of noncommutative rings in the context of cryptography. In particular, we develop a Diffie-Hellman-like key exchange protocol based on certain noncommutative rings. Regarding the matrix normal forms, we present a polynomial-time algorithm of Las Vegas type to compute the Jacobson normal form of matrices over specific domains. We will study the flexibility, as well as the limitations of our proposal. Another core contribution of this thesis consists of various implementations to assist future researchers working with noncommutative algebras. Detailed reports on all these programs and software-libraries are provided. We furthermore develop a benchmarking tool called SDEval, tailored to the needs of the computer algebra community. A description of this tool is also included in this thesis