161 research outputs found

    Practical-Time Related-Key Attack on GOST with Secret S-boxes

    Get PDF
    The block cipher GOST 28147-89 was the Russian Federation encryption standard for over 20 years, and is still one of its two standard block ciphers. GOST is a 32-round Feistel construction, whose security benefits from the fact that the S-boxes used in the design are kept secret. In the last 10 years, several attacks on the full 32-round GOST were presented. However, they all assume that the S-boxes are known. When the S-boxes are secret, all published attacks either target a small number of rounds, or apply for small sets of weak keys. In this paper we present the first practical-time attack on GOST with secret S-boxes. The attack works in the related-key model and is faster than all previous attacks in this model which assume that the S-boxes are known. The complexity of the attack is less than 2272^{27} encryptions. It was fully verified, and runs in a few seconds on a PC. The attack is based on a novel type of related-key differentials of GOST, inspired by local collisions. Our new technique may be applicable to certain GOST-based hash functions as well. To demonstrate this, we show how to find a collision on a Davies-Meyer construction based on GOST with an arbitrary initial value, in less than 2102^{10} hash function evaluations

    Too Much Crypto

    Get PDF
    We show that many symmetric cryptography primitives would not be less safe with significantly fewer rounds. To support this claim, we review the cryptanalysis progress in the last 20 years, examine the reasons behind the current number of rounds, and analyze the risk of doing fewer rounds. Advocating a rational and scientific approach to round numbers selection, we propose revised number of rounds for AES, BLAKE2, ChaCha, and SHA-3, which offer more consistent security margins across primitives and make them much faster, without increasing the security risk

    Meet-in-the-Middle Preimage Attacks on Sponge-based Hashing

    Get PDF
    The Meet-in-the-Middle (MitM) attack has been widely applied to preimage attacks on Merkle-Damg{\aa}rd (MD) hashing. In this paper, we introduce a generic framework of the MitM attack on sponge-based hashing. We find certain bit conditions can significantly reduce the diffusion of the unknown bits and lead to longer MitM characteristics. To find good or optimal configurations of MitM attacks, e.g., the bit conditions, the neutral sets, and the matching points, we introduce the bit-level MILP-based automatic tools on Keccak, Ascon and Xoodyak. To reduce the scale of bit-level models and make them solvable in reasonable time, a series of properties of the targeted hashing are considered in the modelling, such as the linear structure and CP-kernel for Keccak, the Boolean expression of Sbox for Ascon. Finally, we give an improved 4-round preimage attack on Keccak-512/SHA3, and break a nearly 10 years’ cryptanalysis record. We also give the first preimage attacks on 3-/4-round Ascon-XOF and 3-round Xoodyak-XOF

    Evaluation of the strength and performance of a new hashing algorithm based on a block cipher

    Get PDF
    The article evaluates the reliability of the new HBC-256 hashing algorithm. To study the cryptographic properties, the algorithm was implemented in software using Python and C programming languages. Also, for the algebraic analysis of the HBC-256 algorithm, a system of Boolean equations was built for one round using the Transalg tool. The program code that implements the hashing algorithm was converted into a software program for generating equations. As a result, one round of the compression function was described as conjunctive normal form (CNF) using 82,533 equations and 16,609 variables. To search for a collision, the satisfiability (SAT) problem solver Lingeling was used, including a version with the possibility of parallel computing. It is shown that each new round doubles the number of equations and variables, and the time to find the solution will grow exponentially. Therefore, it is not possible to find solutions for the full HBC256 hash function

    Квантовий криптоаналiз геш-функцiї «Купина» iз застосуванням алгоритму Гровера-Саймона

    Get PDF
    У роботi дослiджено особливостi роботи та внутрiшню структуру геш-функцiї «Купина». Проаналiзовано алгоритми Гровера, Саймона та Гровера-Саймона. На основi аналiзу структури геш-функцiї «Купина» визначено, що функцiю стиснення можна представити як послiдовнiсть схем Iвена-Мансура iз вiдповiдними ключами та перестановкою. Таке представлення дало змогу побудувати атаку на функцiю стиснення за допомогою алгоритму Гровера-Саймона. Отримано оцiнки квантового часу атаки: 5, 6 раундiв функцiї стиснення та довжини входу = 512 бiт – (2173), (2173.24) вiдповiдно; 8 раундiв функцiї стиснення та довжини входу = 1024 бiт – (2344.33). Додатково дослiджено зведення атаки на функцiю стиснення геш-функцiї «Купина» до атаки на EFX-конструкцiю. Отримано оцiнки квантового часу атаки: 5, 6 раундiв функцiї стиснення та довжини входу = 512 бiт – (2344); 8 раундiв функцiї стиснення та довжини входу = 1024 бiт – (2686). Також оцiнено загальну схемну складнiсть атаки на конструкцiю CF + Trunc геш-функцiї «Купина» за допомогою алгоритму Гровера. Ця конструкцiя включає в себе функцiю стиснення та завершальну функцiю. Вiдповiдно до метрики NIST оцiнено застосовнiсть алгоритму Гровера до конструкцiї CF + Trunc та отримано наступнi значення схемної складностi: версiї геш-функцiї «Купина»- для 8 256 iз довжиною входу = 512 бiт вразливi до атаки за допомогою алгоритму Гровера, схемна складнiсть атаки складає (2313.73); стiйкiсть версiй геш-функцiї «Купина»- для 256 < 512 iз довжиною входу = 1024 поки залишається вiдкритим питанням вiдповiдно до порогових констант , схемна складнiсть атаки складає (2572.86).The paper examines the peculiarities of the operation and internal structure of the «Kupyna» hash function. The structure of the Grover, Simon, and Grover-meets-Simon algorithms is analyzed. Based on the analysis of the structure of the «Kupyna» hash function, it has been determined that the compression function can be represented as a sequence of Even-Mansour schemes with corresponding keys and permutations. This representation allowed for an attack on the compression function using the Grover-meets-Simon algorithm. Estimates of the quantum time for the attack have been obtained: approximately (2173) for 5, 6 rounds of the compression function and an input length = 512 bits, and approximately (2173.24) for 8 rounds of the compression function and an input length = 1024, it is approximately (2344.33). Furthermore, the reduction of the attack on the compression function of the «Kupyna» hash function to an attack on the EFX construction has been investigated. Estimates of the quantum time for the attack have been obtained: approximately (2344) for 5, 6 rounds of the compression function and an input length = 512 bits, and approximately (2686) for 8 rounds of the compression function and an input length = 1024 bits. The overall gate complexity of the attack on the CF + Trunc construction of the «Kupyna» hash function using the Grover algorithm has also been evaluated. This construction includes the compression function and the finalization function. According to the NIST metric, the applicability of the Grover algorithm to the CF + Trunc construction has been assessed, and the following gate complexity values have been obtained: versions of the «Kupyna»- hash function with 8 256 and an input length = 512 bits are vulnerable to attacks using the Grover algorithm, with a gate complexity of approximately (2313.73); the security of versions of the «Kupyna»- hash function with 256 < 512 and an input length = 1024 bits remains an open question according to the threshold constants , with a gate complexity of approximately (2572.86)

    Efficient Detection of High Probability Statistical Properties of Cryptosystems via Surrogate Differentiation

    Get PDF
    A central problem in cryptanalysis is to find all the significant deviations from randomness in a given nn-bit cryptographic primitive. When nn is small (e.g., an 88-bit S-box), this is easy to do, but for large nn, the only practical way to find such statistical properties was to exploit the internal structure of the primitive and to speed up the search with a variety of heuristic rules of thumb. However, such bottom-up techniques can miss many properties, especially in cryptosystems which are designed to have hidden trapdoors. In this paper we consider the top-down version of the problem in which the cryptographic primitive is given as a structureless black box, and reduce the complexity of the best known techniques for finding all its significant differential and linear properties by a large factor of 2n/22^{n/2}. Our main new tool is the idea of using {\it surrogate differentiation}. In the context of finding differential properties, it enables us to simultaneously find information about all the differentials of the form f(x)f(xα)f(x) \oplus f(x \oplus \alpha) in all possible directions α\alpha by differentiating ff in a single arbitrarily chosen direction γ\gamma (which is unrelated to the α\alpha\u27s). In the context of finding linear properties, surrogate differentiation can be combined in a highly effective way with the Fast Fourier Transform. For 6464-bit cryptographic primitives, this technique makes it possible to automatically find in about 2642^{64} time all their differentials with probability p232p \geq 2^{-32} and all their linear approximations with bias p216|p| \geq 2^{-16}; previous algorithms for these problems required at least 2962^{96} time. Similar techniques can be used to significantly improve the best known time complexities of finding related key differentials, second-order differentials, and boomerangs. In addition, we show how to run variants of these algorithms which require no memory, and how to detect such statistical properties even in trapdoored cryptosystems whose designers specifically try to evade our techniques

    Horst Meets Fluid-SPN: Griffin for Zero-Knowledge Applications

    Get PDF
    Zero-knowledge (ZK) applications form a large group of use cases in modern cryptography, and recently gained in popularity due to novel proof systems. For many of these applications, cryptographic hash functions are used as the main building blocks, and they often dominate the overall performance and cost of these approaches. Therefore, in the last years several new hash functions were built in order to reduce the cost in these scenarios, including Poseidon and Rescue among others. These hash functions often look very different from more classical designs such as AES or SHA-2. For example, they work natively over prime fields rather than binary ones. At the same time, for example Poseidon and Rescue share some common features, such as being SPN schemes and instantiating the nonlinear layer with invertible power maps. While this allows the designers to provide simple and strong arguments for establishing their security, it also introduces crucial limitations in the design, which may affect the performance in the target applications. In this paper, we propose the Horst construction, in which the addition in a Feistel scheme (x, y) -> (y + F(x), x) is extended via a multiplication, i.e., (x, y) -> (y * G(x) + F(x), x). By carefully analyzing the performance metrics in SNARK and STARK protocols, we show how to combine an expanding Horst scheme with a Rescue-like SPN scheme in order to provide security and better efficiency in the target applications. We provide an extensive security analysis for our new design Griffin and a comparison with all current competitors

    Survey: Non-malleable code in the split-state model

    Get PDF
    Non-malleable codes are a natural relaxation of error correction and error detection codes applicable in scenarios where error-correction or error-detection is impossible. Over the last decade, non-malleable codes have been studied for a wide variety of tampering families. Among the most well studied of these is the split-state family of tampering channels, where the codeword is split into two or more parts and each part is tampered independently. We survey various constructions and applications of non-malleable codes in the split-state model
    corecore