TurboSHAKE

In a recent presentation, we promoted the use of 12-round instances of Keccak, collectively called “TurboSHAKE”, in post-quantum cryptographic schemes, but without defining them further. The goal of this note is to fill this gap: The definition of the TurboSHAKE family simply consists in exposing and generalizing the primitive already defined inside KangarooTwelve

Practical collision attacks against round-reduced SHA-3

The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak[1440, 160, 5, 160], Keccak[640, 160, 5, 160] and Keccak[1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.NRF (Natl Research Foundation, S’pore

Exploring SAT for Cryptanalysis: (Quantum) Collision Attacks against 6-Round SHA-3 (Full Version)

In this work, we focus on collision attacks against instances of SHA-3 hash family in both classical and quantum settings. Since the 5-round collision attacks on SHA3-256 and other variants proposed by Guo et al. at JoC~2020, no other essential progress has been published. With a thorough investigation, we identify that the challenges of extending such collision attacks on SHA-3 to more rounds lie in the inefficiency of differential trail search. To overcome this obstacle, we develop a SAT-based automatic search toolkit. The tool is used in multiple intermediate steps of the collision attacks and exhibits surprisingly high efficiency in differential trail search and other optimization problems encountered in the process. As a result, we present the first 6-round classical collision attack on SHAKE-128 with time complexity $2^{123.5}$, which also forms a quantum collision attack with quantum time ${{2^{67.25}}/{\sqrt{S}}}$, and the first 6-round quantum collision attack on SHA3-224 and SHA3-256 with quantum time ${{2^{97.75}}/{\sqrt{S}}}$ and ${{2^{104.25}}/{\sqrt{S}}}$, both with negligible requirement of classical and quantum memory. The fact that classical collision attacks do not apply to 6-round SHA3-224 and SHA3-256 shows the higher coverage of quantum collision attacks, which is consistent with that on SHA-2 observed by Hosoyamada and Sasaki at CRYPTO~2021

Hash Functions Monolith for ZK Applications: May the Speed of SHA-3 be With You

The rising popularity of computational integrity protocols has led to an increased focus on efficient domain-specific hash functions, which are one of the core components in these use cases. For example, they are used for polynomial commitments or membership proofs in the context of Merkle trees. Indeed, in modern proof systems the computation of hash functions is a large part of the entire proof\u27s complexity. In the recent years, authors of these hash functions have focused on components which are verifiable with low-degree constraints. This led to constructions like Poseidon, Rescue, Griffin, Reinforced Concrete, and Tip5, all of which showed significant improvements compared to classical hash functions such as SHA-3 when used inside the proof systems. In this paper, we focus on lookup-based computations, a specific component which allows to verify that a particular witness is contained in a lookup table. We work over 31-bit and 64-bit finite fields $\mathbb F_p$, both of which are used in various modern proof systems today and allow for fast implementations. We propose a new 2-to-1 compression function and a SAFE hash function, instantiated by the Monolith permutation. The permutation is significantly more efficient than its competitors, both in terms of circuit friendliness and plain performance, which has become one of the main bottlenecks in various use cases. This includes Reinforced Concrete and Tip5, the first two hash functions using lookup computations internally. Moreover, in Monolith we instantiate the lookup tables as functions defined over $\mathbb F_2$ while ensuring that the outputs are still elements in $\mathbb F_p$. Contrary to Reinforced Concrete and Tip5, this approach allows efficient constant-time plain implementations which mitigates the risk of side-channel attacks potentially affecting competing lookup-based designs. Concretely, our constant time 2-to-1 compression function is faster than a constant time version of Poseidon2 by a factor of 7. Finally, it is also the first arithmetization-oriented function with a plain performance comparable to SHA3-256, essentially closing the performance gap between circuit-friendly hash functions and traditional ones

Privacy-Preserving Protocols for Vehicular Transport Systems

La present tesi es centra en la privadesa dels ciutadans com a usuaris de mitjans de transport vehiculars dins del marc d'una e-society. En concret, les contribucions de la tesi es focalitzen en les subcategories d'estacionament de vehicles privats en zones públiques regulades i en la realització de transbordaments entre línies intercomunicades en l'àmbit del transport públic. Una anàlisi acurada de les dades recopilades pels proveedors d'aquests serveis, sobre un determinat usuari, pot proporcionar informació personal sensible com per exemple: horari laboral, professió, hobbies, problemes de salut, tendències polítiques, inclinacions sexuals, etc. Tot i que existeixin lleis, com l'europea GDPR, que obliguin a utilitzar les dades recollides de forma correcta per part dels proveedors de serveis, ja sigui a causa d'un atac informàtic o per una filtració interna, aquestes dades poden ser utilitzades per finalitats il·legals. Per tant, el disseny protocols que garanteixin la privadesa dels ciutadans que formen part d'una e-society esdevé una tasca de gran importància.La presente tesis se centra en la privacidad de los ciudadanos en el transporte vehicular dentro del marco de una e-society. En concreto, las contribuciones de la tesis se centran en las subcategorías de estacionamiento de vehículos privados en zonas públicas reguladas y en la realización de transbordos entre líneas interconectadas en el ámbito del transporte público. Una análisi acurada de los datos recopilados por los proveedores de los servicios, sobre un determinado usuario, puede proporcionar información personal sensible como por ejemplo: horario laboral, profesión, hobbies, problemas de salud, tendencias políticas, inclinaciones sexuales, etc. A pesar que hay leyes, como la europea GDPR, que obligan a usar de forma correcta los datos recopilados por parte de los proveedores de servicios, ya sea por un ataque informático o por una filtración interna, estos datos pueden utilizarse para fines ilegales. Por lo tanto, es vital diseñar protocolos que garanticen la privacidad de los ciudadanos que forman parte de una e-society.This thesis is focused on the privacy of citizens while using vehicular transport systems within an e-society frame. Specifically, the thesis contributes to two subcategories. The first one refers to pay-by-phone systems for parking vehicles in regulated public areas. The second one is about the use of e-tickets in public transport systems allowing transfers between connecting lines. A careful analysis of data collected by service providers can provide sensitive personal information such as: work schedule, profession, hobbies, health problems, political tendencies, sexual inclinations, etc. Although the law, like the European GDPR, requires the correct use of the data collected by service providers, data can be used for illegal purposes after being stolen as a result of a cyber-attack or after being leaked by an internal dishonest employee. Therefore, the design of privacy-preserving solutions for mobility-based services is mandatory in the e-society