Algebraic Attacks on Round-Reduced Keccak/Xoodoo

Since Keccak was selected as the SHA-3 standard, both its hash mode and keyed mode have attracted lots of third-party cryptanalysis. Especially in recent years, there is progress in analyzing the collision resistance and preimage resistance of round-reduced Keccak. However, for the preimage attacks on round-reduced Keccak-384/512, we found that the linear relations leaked by the hash value are not well exploited when utilizing the current linear structures. To make full use of the $320+64\times2=448$ and 320 linear relations leaked by the hash value of Keccak-512 and Keccak-384, respectively, we propose a dedicated algebraic attack by expressing the output as a quadratic Boolean equation system in terms of the input. Such a quadratic Boolean equation system can be efficiently solved with linearization techniques. Consequently, we successfully improved the preimage attacks on 2/3/4 rounds of Keccak-384 and 2/3 rounds of Keccak-512. Since similar $\theta$ and $\chi$ operations exist in the round function of Xoodoo, we make a study of the permutation and construct a practical zero-sum distinguisher for 12-round Xoodoo. Although 12-round Xoodoo is the underlying permutation used in Xoodyak, which has been selected by NIST for the second round in the Lightweight Cryptography Standardization process, such a distinguisher will not lead to an attack on Xoodyak

Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3

We investigate the cost of Grover's quantum search algorithm when used in the context of pre-image attacks on the SHA-2 and SHA-3 families of hash functions. Our cost model assumes that the attack is run on a surface code based fault-tolerant quantum computer. Our estimates rely on a time-area metric that costs the number of logical qubits times the depth of the circuit in units of surface code cycles. As a surface code cycle involves a significant classical processing stage, our cost estimates allow for crude, but direct, comparisons of classical and quantum algorithms. We exhibit a circuit for a pre-image attack on SHA-256 that is approximately $2^{153.8}$ surface code cycles deep and requires approximately $2^{12.6}$ logical qubits. This yields an overall cost of $2^{166.4}$ logical-qubit-cycles. Likewise we exhibit a SHA3-256 circuit that is approximately $2^{146.5}$ surface code cycles deep and requires approximately $2^{20}$ logical qubits for a total cost of, again, $2^{166.5}$ logical-qubit-cycles. Both attacks require on the order of $2^{128}$ queries in a quantum black-box model, hence our results suggest that executing these attacks may be as much as $275$ billion times more expensive than one would expect from the simple query analysis.Comment: Same as the published version to appear in the Selected Areas of Cryptography (SAC) 2016. Comments are welcome

Improving security of lightweith SHA-3 against preimage attacks

In this article we describe the SHA-3 algorithm and its internal permutation in which potential weaknesses are hidden.  The hash algorithm can be used for different purposes, such as pseudo-random bit sequences generator, key wrapping or one pass authentication, especially in weak devices (WSN, IoT, etc.). Analysis of the function showed that successful preimage attacks are possible for low round hashes, protection from which only works with increasing the number of rounds inside the function. When the hash function is used for building lightweight applications, it is necessary to apply a small number of rounds, which requires additional security measures. This article proposes a variant improved hash function protecting against preimage attacks, which occur on SHA-3. We suggest using an additional external randomness sources obtained from a lightweight PRNG or from application of the source data permutation

Quantum Algorithms for Boolean Equation Solving and Quantum Algebraic Attack on Cryptosystems

Decision of whether a Boolean equation system has a solution is an NPC problem and finding a solution is NP hard. In this paper, we present a quantum algorithm to decide whether a Boolean equation system FS has a solution and compute one if FS does have solutions with any given success probability. The runtime complexity of the algorithm is polynomial in the size of FS and the condition number of FS. As a consequence, we give a polynomial-time quantum algorithm for solving Boolean equation systems if their condition numbers are small, say polynomial in the size of FS. We apply our quantum algorithm for solving Boolean equations to the cryptanalysis of several important cryptosystems: the stream cipher Trivum, the block cipher AES, the hash function SHA-3/Keccak, and the multivariate public key cryptosystems, and show that they are secure under quantum algebraic attack only if the condition numbers of the corresponding equation systems are large. This leads to a new criterion for designing cryptosystems that can against the attack of quantum computers: their corresponding equation systems must have large condition numbers

Security of the SHA-3 candidates Keccak and Blue Midnight Wish: Zero-sum property

The SHA-3 competition for the new cryptographic standard was initiated by National Institute of Standards and Technology (NIST) in 2007. In the following years, the event grew to one of the top areas currently being researched by the CS and cryptographic communities. The first objective of this thesis is to overview, analyse, and critique the SHA-3 competition. The second one is to perform an in-depth study of the security of two candidate hash functions, the finalist Keccak and the second round candidate Blue Midnight Wish. The study shall primarily focus on zero-sum distinguishers. First we attempt to attack reduced versions of these hash functions and see if any vulnerabilities can be detected. This is followed by attacks on their full versions. In the process, a novel approach is utilized in the search of zero-sum distinguishers by employing SAT solvers. We conclude that while such complex attacks can theoretically uncover undesired properties of the two hash functions presented, such attacks are still far from being fully realized due to current limitations in computing power

Cryptographic Applications of the Duplex Construction

Assured security is the desirable feature of modern cryptography. Most of moderncryptography primitives have no provably secure constructions. Their safety is defined on the basis ofwell-known in the given time cryptanalytic attacks. The duplex construction equipped with one idealpermutation and appropriate security parameters is suitable for building provably secure cryptographicprimitives. The constructions can be used for unclassified information of different sensitivity levelsprotection. Some of them can secure classified information up to the TOP SECRET level. Theapplications based on the duplex construction can be used for key wrapping, authenticated encryptionand can work as a pseudo-random bit sequence generator. They are not covered by any knownintellectual property

An IoT Endpoint System-on-Chip for Secure and Energy-Efficient Near-Sensor Analytics

Near-sensor data analytics is a promising direction for IoT endpoints, as it minimizes energy spent on communication and reduces network load - but it also poses security concerns, as valuable data is stored or sent over the network at various stages of the analytics pipeline. Using encryption to protect sensitive data at the boundary of the on-chip analytics engine is a way to address data security issues. To cope with the combined workload of analytics and encryption in a tight power envelope, we propose Fulmine, a System-on-Chip based on a tightly-coupled multi-core cluster augmented with specialized blocks for compute-intensive data processing and encryption functions, supporting software programmability for regular computing tasks. The Fulmine SoC, fabricated in 65nm technology, consumes less than 20mW on average at 0.8V achieving an efficiency of up to 70pJ/B in encryption, 50pJ/px in convolution, or up to 25MIPS/mW in software. As a strong argument for real-life flexible application of our platform, we show experimental results for three secure analytics use cases: secure autonomous aerial surveillance with a state-of-the-art deep CNN consuming 3.16pJ per equivalent RISC op; local CNN-based face detection with secured remote recognition in 5.74pJ/op; and seizure detection with encrypted data collection from EEG within 12.7pJ/op.Comment: 15 pages, 12 figures, accepted for publication to the IEEE Transactions on Circuits and Systems - I: Regular Paper

Preimage Attacks on Round-reduced Keccak-224/256 via an Allocating Approach

We present new preimage attacks on standard Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. An allocating approach is used in the attacks, and the whole complexity is allocated to two stages, such that fewer constraints are considered and the complexity is lowered in each stage. Specifically, we are trying to find a 2-block preimage, instead of a 1-block one, for a given hash value, and the first and second message blocks are found in two stages, respectively. Both the message blocks are constrained by a set of newly proposed conditions on the middle state, which are weaker than those brought by the initial values and the hash values. Thus, the complexities in the two stages are both lower than that of finding a 1-block preimage directly. Together with the basic allocating approach, an improved method is given to balance the complexities of two stages, and hence, obtains the optimal attacks. As a result, we present the best theoretical preimage attacks on Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. Moreover, we practically found a (second) preimage for 3-round Keccak-224 with a complexity of 2^{39.39}