Pseudo-Cryptanalysis of Luffa

In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about $2^{64}$ iteration computations with $2^{67}$ bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is $2^{128}$ iteration computations with $2^{132}$ bytes memory. It is noted that, we can find the pseudo-collision pairs and the pseudo-second images only changing a few different bits of initial values. That is directly converted to the forgery attack on NMAC in related key cases

On the Security of NMAC and Its Variants

Based on the three earlier MAC (Message Authentication Code) construction approaches, we propose and analyze some variants of NMAC. We propose  some key recovery attacks to  these  NMAC  variants, for  example, we can  recover  the  equivalent  inner  key  of NMAC  in  about O(2n/2) MAC  operations, in  a related key  setting. We  propose  NMAC-E, a  variant of NMAC  with  secret  envelop,  to  achieve  more  process  efficiency  and  no  loss  of security, which needs only one call to the  underlying hash  function, instead of two invocations in HMAC

Practical Electromagnetic Template Attack on HMAC

The original publication is available at www.springerlink.comInternational audienceIn this paper, we show that HMAC can be attacked using a very efficient side channel attack which reveals the Hamming distance of some registers. After a profiling phase which requires access to a similar device that can be configured by the adversary, the attack recovers the secret key on one recorded execution of HMAC-SHA-1 for example, on an embedded device. We perform experimentations using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. Besides the high efficiency of this attack, $2^32\cdot 3^k$ where $k$ is the number of 32-bit words of the key, that we tested with experimentations, our results also shed some light on the on the requirements in term of side channel attack for the future SHA-3 function. Finally, we show that our attack can also be used to break the confidentiality of network protocols usually implemented on embedded devices. We have performed experiments using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. We hope that our results shed some light on the requirements in term of side channel attack for the future SHA-3 function

Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds

A main contribution of this paper is an improved analysis against HMAC instantiating with reduced Whirlpool. It recovers equivalent keys, which are often denoted as Kin and Kout, of HMAC with 7-round Whirlpool, while the previous best attack can work only for 6 rounds. Our approach is applying the meet-in-the-middle (MITM) attack on AES to recover MAC keys of Whirlpool. Several techniques are proposed to bypass different attack scenarios between a block cipher and a MAC, e.g., the chosen plaintext model of the MITM attacks on AES cannot be used for HMAC-Whirlpool. Besides, a larger state size and different key schedule designs of Whirlpool leave us a lot of room to study. As a result, equivalent keys of HMAC with 7-round Whirlpool are recovered with a complexity of (Data, Time, Memory) = (2^481.7, 2^482.3, 2^481)

Cryptanalysis of HMAC/NMAC-Whirlpool

In this paper, we present universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool. These attacks work with Whirlpool reduced to 6 out of 10 rounds in single-key setting. To the best of our knowledge, this is the first result on ``original\u27\u27 key recovery for HMAC (previous works only succeeded in recovering the equivalent keys). Interestingly, the number of attacked rounds is comparable with that for collision and preimage attacks on Whirlpool hash function itself. Lastly, we present a distinguishing-H attack against the full HMAC- and NMAC-Whirlpool

The IEC 61850 sampled measured values protocol: Analysis, threat identification, and feasibility of using NN forecasters to detect spoofed packets \u3csup\u3e†\u3c/sup\u3e

The operation of the smart grid is anticipated to rely profoundly on distributed microprocessor-based control. Therefore, interoperability standards are needed to address the heterogeneous nature of the smart grid data. Since the IEC 61850 emerged as a wide-spread interoperability standard widely accepted by the industry, the Sampled Measured Values method has been used to communicate digitized voltage and current measurements. Realizing that current and voltage measurements (i.e., feedback measurements) are necessary for reliable and secure noperation of the power grid, firstly, this manuscript provides a detailed analysis of the Sampled Measured Values protocol emphasizing its advantages, then, it identifies vulnerabilities in this protocol and explains the cyber threats associated to these vulnerabilities. Secondly, current efforts to mitigate these vulnerabilities are outlined and the feasibility of using neural network forecasters to detect spoofed sampled values is investigated. It was shown that although such forecasters have high spoofed data detection accuracy, they are prone to the accumulation of forecasting error. Accordingly, this paper also proposes an algorithm to detect the accumulation of the forecasting error based on lightweight statistical indicators. The effectiveness of the proposed methods is experimentally verified in a laboratory-scale smart grid testbed

Cryptanalysis of Some Block Cipher Constructions

When the public-key cryptography was introduced in the 1970s, symmetric-key cryptography was believed to soon become outdated. Nevertheless, we still heavily rely on symmetric-key primitives as they give high-speed performance. They are used to secure mobile communication, e-commerce transactions, communication through virtual private networks and sending electronic tax returns, among many other everyday activities. However, the security of symmetric-key primitives does not depend on a well-known hard mathematical problem such as the factoring problem, which is the basis of the RSA public-key cryptosystem. Instead, the security of symmetric-key primitives is evaluated against known cryptanalytic techniques. Accordingly, the topic of furthering the state-of-the-art of cryptanalysis of symmetric-key primitives is an ever-evolving topic. Therefore, this thesis is dedicated to the cryptanalysis of symmetric-key cryptographic primitives. Our focus is on block ciphers as well as hash functions that are built using block ciphers. Our contributions can be summarized as follows: First, we tackle the limitation of the current Mixed Integer Linear Programming (MILP) approaches to represent the differential propagation through large S-boxes. Indeed, we present a novel approach that can efficiently model the Difference Distribution Table (DDT) of large S-boxes, i.e., 8-bit S-boxes. As a proof of the validity and efficiency of our approach, we apply it on two out of the seven AES-round based constructions that were recently proposed in FSE 2016. Using our approach, we improve the lower bound on the number of active S-boxes of one construction and the upper bound on the best differential characteristic of the other. Then, we propose meet-in-the-middle attacks using the idea of efficient differential enumeration against two Japanese block ciphers, i.e., Hierocrypt-L1 and Hierocrypt-3. Both block ciphers were submitted to the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) project, selected as one of the Japanese e-Government recommended ciphers in 2003 and reselected in the candidate recommended ciphers list in 2013. We construct five S-box layer distinguishers that we use to recover the master keys of reduced 8 S-box layer versions of both block ciphers. In addition, we present another meet-in-the-middle attack on Hierocrypt-3 with slightly higher time and memory complexities but with much less data complexity. Afterwards, we shift focus to another equally important cryptanalytic attack, i.e., impossible differential attack. SPARX-64/128 is selected among the SPARX family that was recently proposed to provide ARX based block cipher whose security against differential and linear cryptanalysis can be proven. We assess the security of SPARX-64/128 against impossible differential attack and show that it can reach the same number of rounds the division-based integral attack, proposed by the designers, can reach. Then, we pick Kiasu-BC as an example of a tweakable block cipher and prove that, on contrary to its designers’ claim, the freedom in choosing the publicly known tweak decreases its security margin. Lastly, we study the impossible differential properties of the underlying block cipher of the Russian hash standard Streebog and point out the potential risk in using it as a MAC scheme in the secret-IV mode