Weak Singular Hybrid Automata

The framework of Hybrid automata, introduced by Alur, Courcourbetis, Henzinger, and Ho, provides a formal modeling and analysis environment to analyze the interaction between the discrete and the continuous parts of cyber-physical systems. Hybrid automata can be considered as generalizations of finite state automata augmented with a finite set of real-valued variables whose dynamics in each state is governed by a system of ordinary differential equations. Moreover, the discrete transitions of hybrid automata are guarded by constraints over the values of these real-valued variables, and enable discontinuous jumps in the evolution of these variables. Singular hybrid automata are a subclass of hybrid automata where dynamics is specified by state-dependent constant vectors. Henzinger, Kopke, Puri, and Varaiya showed that for even very restricted subclasses of singular hybrid automata, the fundamental verification questions, like reachability and schedulability, are undecidable. In this paper we present \emph{weak singular hybrid automata} (WSHA), a previously unexplored subclass of singular hybrid automata, and show the decidability (and the exact complexity) of various verification questions for this class including reachability (NP-Complete) and LTL model-checking (PSPACE-Complete). We further show that extending WSHA with a single unrestricted clock or extending WSHA with unrestricted variable updates lead to undecidability of reachability problem

New collision attacks on SHA-1 based on optimal joint local-collision analysis

The main contributions of this paper are two-fold. Firstly, we present a novel direction in the cryptanalysis of the cryptographic hash function {\SHA}. Our work builds on previous cryptanalytic efforts on {\SHA} based on combinations of local collisions. Due to dependencies, previous approaches used heuristic corrections when combining the success probabilities and message conditions of the individual local collisions. Although this leads to success probabilities that are seemingly sufficient for feasible collision attacks, this approach most often does not lead to the maximum success probability possible as desired. We introduce novel techniques that enable us to determine the theoretical maximum success probability for a given set of (dependent) local collisions, as well as the smallest set of message conditions that attains this probability. We apply our new techniques and present an implemented open-source near-collision attack on {\SHA} with a complexity equivalent to $2^{57.5}$ {\SHA} compressions. Secondly, we present an identical-prefix collision attack and a chosen-prefix collision attack on {\SHA} with complexities equivalent to approximately $2^{61}$ and $2^{77.1}$ {\SHA} compressions, respectively

Chosen-Prefix Collisions for MD5 and Applications

We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of \emph{chosen-prefix collisions}. We have shown how, at an approximate expected cost of $2^{39}$ calls to the MD5 compression function, for any two chosen message prefixes $P$ and $P'$, suffixes $S$ and $S'$ can be constructed such that the concatenated values $P\|S$ and $P'\|S'$ collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf.\ \url{http://www.win.tue.nl/hashclash/rogue-ca/}). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on \url{http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/}

Versatile FPGA architecture for skein hashing algorithm

Digital communications and data storage are expanding at fast rates, increasing the need for advanced cryptographic standards to validate and provide privacy for that data. One of the basic components commonly used in information security systems is cryptographic hashing. Cryptographic hashing involves the compression of an arbitrary block of data into a fixed-size string of bits known as the hash value. These functions are designed such that it is computationally infeasible to determine a message that results in a given hash value. It should also be infeasible to find two messages with the same hash value and to change a message without its hash value being changed. Some of the most common uses of these algorithms are digital signatures, message authentication codes, file identification, and data integrity. Due to developments in attacks on the Secure Hash Standard (SHS), which includes SHA-1 and SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512), the National Institute of Standards and Technology (NIST) will be selecting a new hashing algorithm to replace the current standards. In 2008, 64 algorithms were entered into the NIST competition and in December 2010, five finalists were chosen. The final candidates are BLAKE, Keccak, Gr{o}stl, JH, and Skein. In 2012, one of these algorithms will be selected for the Secure Hash Algorithm 3 (SHA-3). This thesis focuses on the development of a versatile hardware architecture for Skein that provides both sequential and tree hashing functions of Skein. The performance optimizations rely heavily on pipelined and unrolled architectures to allow for simultaneous hashing of multiple unique messages and reduced area tree hashing implementations. Additional result of this thesis is a comprehensive overview of the newly developed architectures and an analysis of their performance in comparison with other software and hardware implementations