New Second Preimage Attacks on Dithered Hash Functions with Low Memory Complexity

Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damgard hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online phases. In this paper, we present new second preimage attacks on the dithered Merkle-Damgard construction. These attacks consume significantly less memory in the online phase (with a negligible increase in the online time complexity) than previous attacks. For example, in the case of MD5 with the Keranen sequence, we reduce the memory complexity from about 2^51 blocks to about 2^26.7 blocks (about 545 MB). We also present an essentially memoryless variant of Andreeva et al. attack. In case of MD5-Keranen or SHA1-Keranen, the offline and online memory complexity is 2^15.2 message blocks (about 188–235 KB), at the expense of increasing the offline time complexity

Атака методом анализа сбоев на алгоритмы выработки имитовставок HMAC и NMAC

One of the important problems arising in designing and practical implementation of cryptosystems is provide countermeasures against side-channel attacks. When implemented on a specific physical device, the algorithms, strength of which from the purely mathematical point of view is without great doubt, often employ weaknesses to such attacks.A fault analysis attack is one of the options of the side-channel attack on a cryptosystem. Its essence is that the attacker has an active influence on a physical device that provides computation (for example, a smart card). Faults caused by influence are then analysed in order to restore security information that is stored inside the device. These attacks are often significantly more efficient than passive side-channel attacks.The fault analysis attacks were proposed over 20 years ago. Since then, attacks have been successfully built owing to implementation of a number of symmetric and asymmetric crypto-algorithms. Also, a number of different methods for active influence on computation have been proposed, using specific physical effects and characteristics of the computing environment. Approaches to counteracting such types of attacks are also actively developing. For this, both physical and purely mathematical methods are used. However, it should be noted that cryptographic hash functions, and more complex crypto-schemes containing them as components (for example, some message authentication codes and digital signatures), are slightly presented in these papers.It is important to note that practical implementation of a specific attack requires that a combination of the following factors is available: a possibility of a specific physical impact on computation, an adequate mathematical model of such physical impact and a purely mathematical component of the attack that is a specific algorithms for introducing faults and further analysis of the results. At the same time, the solution of each of these problems separately is of independent theoretical value.The paper results do not involve the physical component of attack, aiming only at mathematics. In other words, a proposal is to present the specific algorithms for introducing faults and further analysis of the results. In this case, a specific fault model is considered known and specified. Several such models have been considered, based on the similar ones previously proposed for other algorithms.As an object of study, two standards to form message authentication codes have been selected: HMAC and NMAC. These standards can be based on any cryptographic hash function that provides the required level of security. The paper examines four examples of widely used hashes: MD5, MD4, SHA-1, SHA-0.The main results of the paper are as follows:- built specific algorithms for introducing faults in computation and their further analysis, allowing to discover secret information (secret keys);- finding and validation of estimates of such attacks (in terms of the number of introduced faults and the work factor of further analysis) for various combinations of parameters (algorithms and fault models); - shown that attacks timing can be reasonable.Одной из важных проблем, возникающих при проектировании и практической реализации криптосистем, является противодействие атакам по побочным каналам. Нередко алгоритмы, стойкость которых с чисто математической точки зрения не вызывает больших сомнений, оказываются уязвимыми к таким атакам при их реализации на конкретном физическом устройстве.Атака методом анализа сбоев является одним из вариантов атаки на криптосистему по побочным каналам. Суть ее состоит в активном воздействии атакующим на физическое устройство, осуществляющее процесс вычислений (например, смарт-карту). Получаемые в результате воздействия искажения затем анализируются с целью восстановить секретную информацию, хранимую внутри устройства. Подобные атаки зачастую оказываются значительно эффективнее пассивных атак по побочным каналам.Атаки методом анализа сбоев были предложены в более 20 лет назад. С тех пор были успешно построены атаки на реализации целого ряда симметричных и асимметричных криптоалгоритмов. Также был предложен ряд различных методов осуществления активного воздействия на процесс вычислений, с использованием конкретных физических эффектов и особенностей вычислительной среды. Также активно развиваются и подходы к противодействию такого рода атакам. Для этого используются как физические, так и чисто математические методы. Однако следует отметить, что криптографические хэш-функции, и более сложные криптосхемы, содержащие их в качестве компонент (например, некоторые имитовставки и цифровые подписи), в рамках этих работ представлены незначительно.Важно отметить, что для практического применения конкретной атаки необходимо сочетание следующих факторов: наличия возможности конкретного физического воздействия на вычислительный процесс, адекватной математической модели данного физического воздействия и чисто математического компонента атаки --конкретного алгоритма внесения искажений и последующего анализа результатов. При этом решение каждой из этих задач по отдельности представляет самостоятельную теоретическую ценность.Результаты настоящей работы не затрагивают физическую составляющую атаки, ограничиваясь лишь математикой. Иными словами, предложены конкретные алгоритмы внесения искажений и последующего анализа результатов. При этом конкретная модель сбоев считается известной и заданной. Рассмотрено несколько таких моделей, которые базируются на аналогах, ранее предложенных для других алгоритмов.В качестве объекта исследований выбраны два стандарта формирования имитовставок: HMAC и NMAC. Указанные стандарты могут базироваться на любой криптографической хэш-функции, обеспечивающей нужный уровень стойкости. В данной работе исследованы четыре примера широкораспространенных хэшей: MD5, MD4, SHA-1, SHA-0.Основными результатами данной работы являются следующие:-     построены конкретные алгоритмы внесения искажений в вычислительный процесс, и их дальнейшего анализа, позволяющие извлечь секретную информацию (секретные ключи);-     найдены и обоснованы оценки сложности таких атак (в терминах числа вносимых сбоев и трудоемкости последуюшего анализа) для различных сочетаний параметров(алгоритмов и моделей сбоев);-     показано, что атаки могут быть проведены за разумное время

On FPGA-based implementations of Gr\{o}stl

The National Institute of Standards and Technology (NIST) has started a competition for a new secure hash standard. To make a significant comparison between the submitted candidates, third party implementations of all proposed hash functions are needed. This is one of the reasons why the SHA-3 candidate Gr\{o}stl has been chosen for a FPGA-based implementation. Mainly our work is motivated by actual and future developments of the automotive market (e.g. car-2-car communication systems), which will increase the necessity for a suitable cryptographic infrastructure in modern vehicles (cf. AUTOSAR project) even further. One core component of such an infrastructure is a secure cryptographic hash function, which is used for a lot of applications like challenge-response authentication systems or digital signature schemes. Another motivation to evaluate Gr\{o}stl is its resemblance to AES. The automotive market demands, like any mass market, low budget and therefore compact implementations, hence our evaluation of Gr\{o}stl focuses on area optimizations. It is shown that, while Gr\{o}stl is inherently quite large compared to AES, it is still possible to implement the Gr\{o}stl algorithm on small and low budget FPGAs like the second smallest available Spartan-3, while maintaining a reasonable high throughput

Breaking the FF3 Format Preserving Encryption

The NIST standard FF3 scheme (also known as BPS scheme) is a tweakable block cipher based on a 8-round Feistel Network. We break it with a practical attack. Our attack exploits the bad domain separation in FF3 design. The attack works with chosen plaintexts and tweaks when the message domain is small. Our FF3 attack requires $O(N^{\frac{11}{6}})$ chosen plaintexts with time complexity $N^{5}$, where $N^2$ is domain size to the Feistel Network. Due to the bad domain separation in 8-round FF3, we reduced the FF3 attack to an attack on 4-round Feistel Networks. In our generic attack, we reconstruct the entire codebook of 4-round Feistel Network with $N^{\frac{3}{2}} \left( \frac{N}{2} \right)^{\frac{1}{6}}$ known plaintexts and time complexity $N^{4}$

An algebraic time-advantage-based key establishment protocol

In this thesis we have built a key-establishment protocol which takes advantage of a resource : time. When two devices spends a pre-determined, mostly uninterrupted time interval with each other they would be able to establish a key. However it is not just the quantity of time but also the quality which matters. The information gained about the key with time by the legitimate party can is flexible and can be chosen by the user. We have analyzed our protocol thoroughly and discussed the circumstances an adversary can gain access to information about the key

A Statistical Verification Method of Random Permutations for Hiding Countermeasure Against Side-Channel Attacks

As NIST is putting the final touches on the standardization of PQC (Post Quantum Cryptography) public key algorithms, it is a racing certainty that peskier cryptographic attacks undeterred by those new PQC algorithms will surface. Such a trend in turn will prompt more follow-up studies of attacks and countermeasures. As things stand, from the attackers' perspective, one viable form of attack that can be implemented thereupon is the so-called "side-channel attack". Two best-known countermeasures heralded to be durable against side-channel attacks are: "masking" and "hiding". In that dichotomous picture, of particular note are successful single-trace attacks on some of the NIST's PQC then-candidates, which worked to the detriment of the former: "masking". In this paper, we cast an eye over the latter: "hiding". Hiding proves to be durable against both side-channel attacks and another equally robust type of attacks called "fault injection attacks", and hence is deemed an auspicious countermeasure to be implemented. Mathematically, the hiding method is fundamentally based on random permutations. There has been a cornucopia of studies on generating random permutations. However, those are not tied to implementation of the hiding method. In this paper, we propose a reliable and efficient verification of permutation implementation, through employing Fisher-Yates' shuffling method. We introduce the concept of an n-th order permutation and explain how it can be used to verify that our implementation is more efficient than its previous-gen counterparts for hiding countermeasures.Comment: 29 pages, 6 figure

Cryptanalysis of Feistel-Based Format-Preserving Encryption

Format-Preserving Encryption (FPE) is a method to encrypt non-standard domains, thus allowing for securely encrypting not only binary strings, but also special domains, e.g., social security numbers into social security numbers. The need for those resulted in a few standardized constructions such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2. Moreover, there are currently efforts both in ANSI and in ISO to include such block ciphers to standards (e.g., the ANSI X9.124 discussing encryption for financial services). Most of the proposed FPE schemes, such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2, are based on a Feistel construction with pseudo-random round functions. Moreover, to mitigate enumeration attacks against the possibly small domains, they all employ tweaks, which enrich the actual domain sizes. In this paper we present distinguishing attacks against Feistel-based FPEs. We show a distinguishing attack against the full FF1 with data complexity of $2^{60}$ 20-bit plaintexts, against the full FF3-1 with data complexity of $2^{40}$ 20-bit plaintexts. For FEA-1 with 128-bit, 192-bit and 256-bit keys, the data complexity of the distinguishing attack is $2^{32}$, $2^{40}$, and $2^{48}$ 8-bit plaintexts, respectively. The data complexity of the distinguishing attack against the full FEA-2 with 128-bit, 192-bit and 256-bit is $2^{56}$, $2^{68}$, and $2^{80}$ 8-bit plaintexts, respectively. Moreover, we show how to extend the distinguishing attack on FEA-1 and FEA-2 using 192-bit and 256-bit keys into key recovery attacks with time complexity $2^{136}$ (for both attacks)

Approximate Thumbnail Preserving Encryption

Thumbnail preserving encryption (TPE) was suggested by Wright et al. as a way to balance privacy and usability for online image sharing. The idea is to encrypt a plaintext image into a ciphertext image that has roughly the same thumbnail as well as retaining the original image format. At the same time, TPE allows users to take advantage of much of the functionality of online photo management tools, while still providing some level of privacy against the service provider. In this work we present three new approximate TPE encryption schemes. In our schemes, ciphertexts and plaintexts have perceptually similar, but not identical, thumbnails. Our constructions are the first TPE schemes designed to work well with JPEG compression. In addition, we show that they also have provable security guarantees that characterize precisely what information about the plaintext is leaked by the ciphertext image. We empirically evaluate our schemes according to the similarity of plaintext and ciphertext thumbnails, increase in file size under JPEG compression, preservation of perceptual image hashes, among other aspects. We also show how approximate TPE can be an effective tool to thwart inference attacks by machine-learning image classifiers, which have shown to be effective against other image obfuscation techniques

Linear Cryptanalysis of FF3-1 and FEA

Improved attacks on generic small-domain Feistel ciphers with alternating round tweaks are obtained using linear cryptanalysis. This results in practical distinguishing and message-recovery attacks on the United States format-preserving encryption standard FF3-1 and the South-Korean standards FEA-1 and FEA-2. The data-complexity of the proposed attacks on FF3-1 and FEA-1 is $O(N^{r/2 - 1.5})$, where $N^2$ is the domain size and $r$ is the number of rounds. For example, FF3-1 with $N = 10^3$ can be distinguished from an ideal tweakable block cipher with advantage $\ge 1/10$ using $2^{23}$ encryption queries. Recovering the left half of a message with similar advantage requires $2^{24}$ data. The analysis of FF3-1 serves as an interesting real-world application of (generalized) linear cryptanalysis over the group $\mathbb{Z}/N\mathbb{Z}$

Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains

Feistel Networks (FN) are now being used massively to encrypt credit card numbers through format-preserving encryption. In our work, we focus on FN with two branches, entirely unknown round functions, modular additions (or other group operations), and when the domain size of a branch (called $N$) is small. We investigate round-function-recovery attacks. The best known attack so far is an improvement of Meet-In-The-Middle (MITM) attack by Isobe and Shibutani from ASIACRYPT~2013 with optimal data complexity $q=r \frac{N}{2}$ and time complexity $N^{ \frac{r-4}{2}N + o(N)}$, where $r$ is the round number in FN. We construct an algorithm with a surprisingly better complexity when $r$ is too low, based on partial exhaustive search. When the data complexity varies from the optimal to the one of a codebook attack $q=N^2$, our time complexity can reach $N^{O \left( N^{1-\frac{1}{r-2}} \right) }$. It crosses the complexity of the improved MITM for $q\sim N\frac{\mathrm{e}^3}{r}2^{r-3}$. We also estimate the lowest secure number of rounds depending on $N$ and the security goal. We show that the format-preserving-encryption schemes FF1 and FF3 standardized by NIST and ANSI cannot offer 128-bit security (as they are supposed to) for $N\leq11$ and $N\leq17$, respectively (the NIST standard only requires $N \geq 10$), and we improve the results by Durak and Vaudenay from CRYPTO~2017