377 research outputs found
Breaking -MAC Using Birthday Paradox
-MAC was proposed to increase efficiency over HMAC by omitting its outer key, and keep the advantage and security of HMAC at the same time. However, as pointed out by the designer, the security of -MAC also depends on the secrecy of the intermediate value (the equivalent key) of the inner hashing. In this paper, we propose an efficient method to break -MAC, by using a generalized birthday attack to recover the equivalent key, under the assumption that the underlying hash function is secure (weak collision resistance). We can successfully recover the equivalent key of -MAC in about on-line MAC queries and off-line MAC computations with great probability. Moreover, we can improve the attack efficiency by reducing the on-line MAC queries, which can\u27t be done concurrently. This attack shows that the security of -MAC is totally dependent on the (weak) collision resistance of the underlying hash function, instead of the PRF-AX of the underlying compression function in the origin security proof of -MAC
On the Security of NMAC and Its Variants
Based on the three earlier MAC (Message Authentication Code) construction approaches, we propose and analyze some variants of NMAC. We propose some key recovery attacks to these NMAC variants, for example, we can recover the equivalent inner key of NMAC in about O(2n/2) MAC operations, in a related key setting. We propose NMAC-E, a variant of NMAC with secret envelop, to achieve more process efficiency and no loss of security, which needs only one call to the underlying hash function, instead of two invocations in HMAC
On the Security of NMAC and Its Variants
We first propose a general equivalent key recovery attack to a -MAC
variant NMAC, which is also provable secure, by applying a generalized birthday attack. Our
result shows that NMAC, even instantiated with a secure Merkle-Damgård hash function, is
not secure. We further show that this equivalent key recovery attack to NMAC
is also applicable to NMAC for recovering the equivalent inner key of NMAC, in a related key
setting. We propose and analyze a series of NMAC variants with different secret approaches and
key distributions, we find that a variant NMAC-E, with secret envelop approach, can withstand
most of the known attacks in this paper. However, all variants including NMAC itself, are vulnerable
to on-line birthday attack for verifiable forgery. Hence, the underlying cryptographic hash functions,
based on Merkle-Damgård construction, should be re-evaluated seriously
Provable security for lightweight message authentication and encryption
The birthday bound often limits the security of a cryptographic scheme to half of the block size or internal state size.
This implies that cryptographic schemes require a block size or internal state size that is twice the security level, resulting in larger and more resource-intensive designs.
In this thesis, we introduce abstract constructions for message authentication codes and stream ciphers that we demonstrate to be secure beyond the birthday bound.
Our message authentication codes were inspired by previous work, specifically the message authentication code EWCDM by Cogliati and Seurin, as well as the work by Mennink and Neves, which demonstrates easy proofs of security for the sum of permutations and an improved bound for EWCDM.
We enhance the sum of permutations by incorporating a hash value and a nonce in our stateful design, and in our stateless design, we utilize two hash values.
One advantage over EWCDM is that the permutation calls, or block cipher calls, can be parallelized, whereas in EWCDM they must be performed sequentially.
We demonstrate that our constructions provide a security level of 2n/3 bits in the nonce-respecting setting.
Subsequently, this bound was further improved to 3n/4 bits of security.
Additionally, it was later discovered that security degrades gracefully with nonce repetitions, unlike EWCDM, where the security drops to the birthday bound with a single nonce repetition.
Contemporary stream cipher designs aim to minimize the hardware module's resource requirements by incorporating an externally available resource, all while maintaining a high level of security.
The security level is typically measured in relation to the size of the volatile internal state, i.e., the state cells within the cipher's hardware module.
Several designs have been proposed that continuously access the externally available non-volatile secret key during keystream generation.
However, there exists a generic distinguishing attack with birthday bound complexity.
We propose schemes that continuously access the externally available non-volatile initial value.
For all constructions, conventional or contemporary, we provide proofs of security against generic attacks in the random oracle model.
Notably, stream ciphers that use the non-volatile initial value during keystream generation offer security beyond the birthday bound.
Based on these findings, we propose a new stream cipher design called DRACO
Cryptanalysis against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations
In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations.
Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks.
Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoff between data complexity and time complexity against the problem of cardinality is and in the best and worst case scenarios to the adversary respectively, while the classic attack requires .
This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for by limiting the maximum to be below according to the classical tradeoff . Those schemes are broken if quantum offline computations are performed by adversaries.
The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H-MAC and a permutation based MAC keyed-sponge.
The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model
Design and Analysis of Cryptographic Hash Functions
Wydział Matematyki i InformatykiKryptograficzne funkcje haszujące stanowią element składowy wielu algorytmów kryptograficznych. Przykładowymi zastosowaniami kryptograficznych funkcji haszujących są podpisy
cyfrowe oraz kody uwierzytelniania wiadomości. Ich własności kryptograficzne mają znaczący wpływ na poziom bezpieczeństwa systemów kryptograficznych wykorzystujących haszowanie.
W dysertacji analizowane są
kryptograficzne funkcje haszujące oraz omówione główne zasady tworzenia
bezpiecznych kryptograficznych funkcji haszujących. Analizujemy bezpieczeństwo dedykowanych funkcji haszujących (BMW, Shabal, SIMD, BLAKE2, Skein) oraz funkcji haszujących zbudowanych z szyfrów blokowych (Crypton, Hierocrypt-3, IDEA, SAFER++, Square). Głównymi metodami kryptoanalizy użytymi są skrócona analiza różnicowa, analiza rotacyjna i przesuwna. Uzyskane wyniki pokazują słabości analizowanych konstrukcji.Cryptographic Hash Functions (CHFs) are building blocks of many cryptographic algorithms. For instance, they are indispensable tools for efficient digital signature and authentication tags. Their security properties have tremendous impact on the security level of systems, which use cryptographic hashing.
This thesis analyzes CHFs and studies the design principles for construction of secure and efficient CHFs. The dissertation investigates security of both dedicated hash functions (BMW, Shabal, SIMD, BLAKE2, Skein) and hash functions based on block ciphers (Crypton, Hierocrypt-3, IDEA, SAFER++, Square). The main cryptographic tools applied are truncated differentials, rotational and
shift analysis. The findings show weaknesses in the designs
On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN
International audienceWhile modern block ciphers, such as AES, have a block size of at least 128 bits, there are many 64-bit block ciphers, such as 3DES and Blowfish, that are still widely supported in Internet security protocols such as TLS, SSH, and IPsec. When used in CBC mode, these ciphers are known to be susceptible to collision attacks when they are used to encrypt around 2^32 blocks of data (the so-called birthday bound). This threat has traditionally been dismissed as impractical since it requires some prior knowledge of the plaintext and even then, it only leaks a few secret bits per gigabyte. Indeed, practical collision attacks have never been demonstrated against any mainstream security protocol, leading to the continued use of 64-bit ciphers on the Internet. In this work, we demonstrate two concrete attacks that exploit collisions on short block ciphers. First, we present an attack on the use of 3DES in HTTPS that can be used to recover a secret session cookie. Second, we show how a similar attack on Blowfish can be used to recover HTTP BasicAuth credentials sent over OpenVPN connections. In our proof-of-concept demos, the attacker needs to capture about 785GB of data, which takes between 19-38 hours in our setting. This complexity is comparable to the recent RC4 attacks on TLS: the only fully implemented attack takes 75 hours. We evaluate the impact of our attacks by measuring the use of 64-bit block ciphers in real-world protocols. We discuss mitigations, such as disabling all 64-bit block ciphers, and report on the response of various software vendors to our responsible disclosure of these attacks
Cayley Graphs of Semigroups and Applications to Hashing
In 1994, Tillich and Zemor proposed a scheme for a family of hash functions that uses products of matrices in groups of the form . In 2009, Grassl et al. developed an attack to obtain collisions for palindromic bit strings by exploring a connection between the Tillich-Zemor functions and maximal length chains in the Euclidean algorithm for polynomials over .
In this work, we present a new proposal for hash functions based on Cayley graphs of semigroups. In our proposed hash function, the noncommutative semigroup of linear functions under composition is considered as platform for the scheme. We will also discuss its efficiency, pseudorandomness and security features.
Furthermore, we generalized the Fit-Florea and Matula\u27s algorithm (2004) that finds the discrete logarithm in the multiplicative group of integers modulo by establishing a connection between semi-primitive roots modulo where and the logarithmic base used in the algorithm
- …