5 research outputs found
Integral Distinguishers for Reduced-round Stribog
In January 2013, the Stribog hash function officially replaced GOST R 34.11-94 as the new Russian cryptographic hash standard GOST R 34.11-2012. Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3 selected by NIST. In this paper we investigate the structural integral properties of reduced version of the Stribog compression function and its internal permutation. Specifically, we present a forward and backward higher order integrals that can be used to distinguish 4 and 3.5 rounds, respectively. Moreover, using the start from the middle approach, we combine the two proposed integrals to get 6.5-round and 7.5-round distinguishers for the internal permutation and 6-round and 7-round distinguishers for the compression function
Streebog compression function as PRF in secret-key settings
Security of the many keyed hash-based cryptographic constructions (such as HMAC) depends on the fact that the underlying compression function is a pseudorandom function (PRF). This paper presents key-recovery algorithms for 7 rounds (of 12) of Streebog compression function. Two cases were considered, as a secret key can be used: the previous state or the message block . The proposed methods implicitly show that Streebog compression function has a large security margin as PRF in the above-mentioned secret-key settings
Related-key attacks on the compression function of Streebog
Related-key attacks against block ciphers are often considered unrealistic. In practice, as far as possible, the existence of a known relation between the secret encryption keys is avoided. Despite this, related keys arise directly in some widely used keyed hash functions. This is especially true for HMAC-Streebog, where known constants and manipulated parameters are added to the secret key. The relation is determined by addition modulo and . The security of HMAC reduces to the properties of the underlying compression function. Therefore, as an initial analysis we propose key-recovery methods for 10 and 11 rounds (out of 12) of Streebog compression function in the related-key setting. The result shows that Streebog successfully resists attacks even in the model with such powerful adversaries
Cryptanalysis of Some Block Cipher Constructions
When the public-key cryptography was introduced in the 1970s, symmetric-key cryptography was believed to soon become outdated. Nevertheless, we still heavily rely on symmetric-key primitives as they give high-speed performance. They are used to secure mobile communication, e-commerce transactions, communication through virtual private networks and sending electronic tax returns, among many other everyday activities. However, the security of symmetric-key primitives does not depend on a well-known hard mathematical problem such as
the factoring problem, which is the basis of the RSA public-key cryptosystem. Instead, the security of symmetric-key primitives is evaluated against known cryptanalytic techniques. Accordingly, the topic of furthering the state-of-the-art of cryptanalysis of symmetric-key primitives is an ever-evolving topic. Therefore, this thesis is dedicated to the cryptanalysis of symmetric-key cryptographic primitives. Our focus is on block ciphers as well as hash functions that are built using block ciphers. Our contributions can be summarized as follows:
First, we tackle the limitation of the current Mixed Integer Linear Programming (MILP) approaches to represent the differential propagation through large S-boxes. Indeed, we present a novel approach that can efficiently model the Difference Distribution Table (DDT) of large S-boxes, i.e., 8-bit S-boxes. As a proof of the validity and efficiency of our approach, we apply it on two out of the seven AES-round based constructions that were recently proposed in FSE 2016. Using our approach, we improve the lower bound on the number of active S-boxes of one construction and the upper bound on the best differential characteristic of the other.
Then, we propose meet-in-the-middle attacks using the idea of efficient differential enumeration against two Japanese block ciphers, i.e., Hierocrypt-L1 and Hierocrypt-3. Both block ciphers were submitted to the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) project, selected as one of the Japanese e-Government recommended ciphers in 2003 and reselected in the candidate recommended ciphers list in 2013. We construct five S-box layer distinguishers that we use to recover the master keys of reduced 8 S-box layer versions of both block ciphers. In addition, we present another meet-in-the-middle attack on Hierocrypt-3 with
slightly higher time and memory complexities but with much less data complexity.
Afterwards, we shift focus to another equally important cryptanalytic attack, i.e., impossible differential attack. SPARX-64/128 is selected among the SPARX family that was recently proposed to provide ARX based block cipher whose security against differential and linear cryptanalysis can be proven. We assess the security of SPARX-64/128 against impossible differential attack and show that it can reach the same number of rounds the division-based integral attack, proposed by the designers, can reach. Then, we pick Kiasu-BC as an example of a tweakable block cipher and prove that, on contrary to its designers’ claim, the freedom in choosing the
publicly known tweak decreases its security margin. Lastly, we study the impossible differential properties of the underlying block cipher of the Russian hash standard Streebog and point out the potential risk in using it as a MAC scheme in the secret-IV mode
Cryptanalysis of Some AES-based Cryptographic Primitives
Current information security systems rely heavily on symmetric key cryptographic primitives
as one of their basic building blocks. In order to boost the efficiency of the security systems, designers
of the underlying primitives often tend to avoid the use of provably secure designs. In fact, they adopt
ad hoc designs with claimed security assumptions in the hope that they resist known cryptanalytic
attacks. Accordingly, the security evaluation of such primitives continually remains an open field. In
this thesis, we analyze the security of two cryptographic hash functions and one block cipher. We
primarily focus on the recent AES-based designs used in the new Russian Federation cryptographic
hashing and encryption suite GOST because the majority of our work was carried out during the open
research competition run by the Russian standardization body TC26 for the analysis of their new
cryptographic hash function Streebog. Although, there exist security proofs for the resistance of AES-
based primitives against standard differential and linear attacks, other cryptanalytic techniques such as
integral, rebound, and meet-in-the-middle attacks have proven to be effective. The results presented in
this thesis can be summarized as follows:
Initially, we analyze various security aspects of the Russian cryptographic hash function GOST
R 34.11-2012, also known as Streebog or Stribog. In particular, our work investigates five security
aspects of Streebog. Firstly, we present a collision analysis of the compression function and its in-
ternal cipher in the form of a series of modified rebound attacks. Secondly, we propose an integral
distinguisher for the 7- and 8-round compression function. Thirdly, we investigate the one wayness of Streebog with respect to two approaches of the meet-in-the-middle attack, where we present a
preimage analysis of the compression function and combine the results with a multicollision attack
to generate a preimage of the hash function output. Fourthly, we investigate Streebog in the context
of malicious hashing and by utilizing a carefully tailored differential path, we present a backdoored
version of the hash function where collisions can be generated with practical complexity. Lastly, we
propose a fault analysis attack which retrieves the inputs of the compression function and utilize it to
recover the secret key when Streebog is used in the keyed simple prefix and secret-IV MACs, HMAC,
or NMAC. All the presented results are on reduced round variants of the function except for our analysis
of the malicious version of Streebog and our fault analysis attack where both attacks cover the full
round hash function.
Next, we examine the preimage resistance of the AES-based Maelstrom-0 hash function which is
designed to be a lightweight alternative to the ISO standardized hash function Whirlpool. One of the
distinguishing features of the Maelstrom-0 design is the proposal of a new chaining construction called
3CM which is based on the 3C/3C+ family. In our analysis, we employ a 4-stage approach that uses
a modified technique to defeat the 3CM chaining construction and generates preimages of the 6-round
reduced Maelstrom-0 hash function.
Finally, we provide a key recovery attack on the new Russian encryption standard GOST R 34.12-
2015, also known as Kuznyechik. Although Kuznyechik adopts an AES-based design, it exhibits a
faster diffusion rate as it employs an optimal diffusion transformation. In our analysis, we propose
a meet-in-the-middle attack using the idea of efficient differential enumeration where we construct
a three round distinguisher and consequently are able to recover 16-bytes of the master key of the
reduced 5-round cipher. We also present partial sequence matching, by which we generate, store, and
match parts of the compared parameters while maintaining negligible probability of matching error,
thus the overall online time complexity of the attack is reduced