43 research outputs found
New Second Preimage Attacks on Dithered Hash Functions with Low Memory Complexity
Dithered hash functions were proposed by Rivest as a method
to mitigate second preimage attacks on Merkle-Damgard hash functions.
Despite that, second preimage attacks against dithered hash functions
were proposed by Andreeva et al. One issue with these second preimage
attacks is their huge memory requirement in the precomputation and the
online phases. In this paper, we present new second preimage attacks on
the dithered Merkle-Damgard construction. These attacks consume significantly
less memory in the online phase (with a negligible increase in
the online time complexity) than previous attacks. For example, in the
case of MD5 with the Keranen sequence, we reduce the memory complexity
from about 2^51 blocks to about 2^26.7 blocks (about 545 MB). We also
present an essentially memoryless variant of Andreeva et al. attack. In
case of MD5-Keranen or SHA1-Keranen, the offline and online memory
complexity is 2^15.2 message blocks (about 188β235 KB), at the expense
of increasing the offline time complexity
ΠΡΠ°ΠΊΠ° ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² Π½Π° Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΎΠΊ HMAC ΠΈ NMAC
One of the important problems arising in designing and practical implementation of cryptosystems is provide countermeasures against side-channel attacks. When implemented on a specific physical device, the algorithms, strength of which from the purely mathematical point of view is without great doubt, often employ weaknesses to such attacks.A fault analysis attack is one of the options of the side-channel attack on a cryptosystem. Its essence is that the attacker has an active influence on a physical device that provides computation (for example, a smart card). Faults caused by influence are then analysed in order to restore security information that is stored inside the device. These attacks are often significantly more efficient than passive side-channel attacks.The fault analysis attacks were proposed over 20 years ago. Since then, attacks have been successfully built owing to implementation of a number of symmetric and asymmetric crypto-algorithms. Also, a number of different methods for active influence on computation have been proposed, using specific physical effects and characteristics of the computing environment. Approaches to counteracting such types of attacks are also actively developing. For this, both physical and purely mathematical methods are used. However, it should be noted that cryptographic hash functions, and more complex crypto-schemes containing them as components (for example, some message authentication codes and digital signatures), are slightly presented in these papers.It is important to note that practical implementation of a specific attack requires that a combination of the following factors is available: a possibility of a specific physical impact on computation, an adequate mathematical model of such physical impact and a purely mathematical component of the attack that is a specific algorithms for introducing faults and further analysis of the results. At the same time, the solution of each of these problems separately is of independent theoretical value.The paper results do not involve the physical component of attack, aiming only at mathematics. In other words, a proposal is to present the specific algorithms for introducing faults and further analysis of the results. In this case, a specific fault model is considered known and specified. Several such models have been considered, based on the similar ones previously proposed for other algorithms.As an object of study, two standards to form message authentication codes have been selected: HMAC and NMAC. These standards can be based on any cryptographic hash function that provides the required level of security. The paper examines four examples of widely used hashes: MD5, MD4, SHA-1, SHA-0.The main results of the paper are as follows:- built specific algorithms for introducing faults in computation and their further analysis, allowing to discover secret information (secret keys);- finding and validation of estimates of such attacks (in terms of the number of introduced faults and the work factor of further analysis) for various combinations of parameters (algorithms and fault models);Β - shown that attacks timing can be reasonable.ΠΠ΄Π½ΠΎΠΉ ΠΈΠ· Π²Π°ΠΆΠ½ΡΡ
ΠΏΡΠΎΠ±Π»Π΅ΠΌ, Π²ΠΎΠ·Π½ΠΈΠΊΠ°ΡΡΠΈΡ
ΠΏΡΠΈ ΠΏΡΠΎΠ΅ΠΊΡΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ ΠΈ ΠΏΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ, ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ Π°ΡΠ°ΠΊΠ°ΠΌ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ. ΠΠ΅ΡΠ΅Π΄ΠΊΠΎ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ, ΡΡΠΎΠΉΠΊΠΎΡΡΡ ΠΊΠΎΡΠΎΡΡΡ
Ρ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΡΠΎΡΠΊΠΈ Π·ΡΠ΅Π½ΠΈΡ Π½Π΅ Π²ΡΠ·ΡΠ²Π°Π΅Ρ Π±ΠΎΠ»ΡΡΠΈΡ
ΡΠΎΠΌΠ½Π΅Π½ΠΈΠΉ, ΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡΡΡ ΡΡΠ·Π²ΠΈΠΌΡΠΌΠΈ ΠΊ ΡΠ°ΠΊΠΈΠΌ Π°ΡΠ°ΠΊΠ°ΠΌ ΠΏΡΠΈ ΠΈΡ
ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ Π½Π° ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠΌ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΡΡΡΠΎΠΉΡΡΠ²Π΅.ΠΡΠ°ΠΊΠ° ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΎΠ΄Π½ΠΈΠΌ ΠΈΠ· Π²Π°ΡΠΈΠ°Π½ΡΠΎΠ² Π°ΡΠ°ΠΊΠΈ Π½Π° ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌΡ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ. Π‘ΡΡΡ Π΅Π΅ ΡΠΎΡΡΠΎΠΈΡ Π² Π°ΠΊΡΠΈΠ²Π½ΠΎΠΌ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΠΈ Π°ΡΠ°ΠΊΡΡΡΠΈΠΌ Π½Π° ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΡΡΡΠΎΠΉΡΡΠ²ΠΎ, ΠΎΡΡΡΠ΅ΡΡΠ²Π»ΡΡΡΠ΅Π΅ ΠΏΡΠΎΡΠ΅ΡΡ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΠΉ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΡΠΌΠ°ΡΡ-ΠΊΠ°ΡΡΡ). ΠΠΎΠ»ΡΡΠ°Π΅ΠΌΡΠ΅ Π² ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ΅ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΡ Π·Π°ΡΠ΅ΠΌ Π°Π½Π°Π»ΠΈΠ·ΠΈΡΡΡΡΡΡ Ρ ΡΠ΅Π»ΡΡ Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ, Ρ
ΡΠ°Π½ΠΈΠΌΡΡ Π²Π½ΡΡΡΠΈ ΡΡΡΡΠΎΠΉΡΡΠ²Π°. ΠΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ Π°ΡΠ°ΠΊΠΈ Π·Π°ΡΠ°ΡΡΡΡ ΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡΡΡ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½Π΅Π΅ ΠΏΠ°ΡΡΠΈΠ²Π½ΡΡ
Π°ΡΠ°ΠΊ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ.ΠΡΠ°ΠΊΠΈ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² Π±ΡΠ»ΠΈ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ Π² Π±ΠΎΠ»Π΅Π΅ 20 Π»Π΅Ρ Π½Π°Π·Π°Π΄. Π‘ ΡΠ΅Ρ
ΠΏΠΎΡ Π±ΡΠ»ΠΈ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΏΠΎΡΡΡΠΎΠ΅Π½Ρ Π°ΡΠ°ΠΊΠΈ Π½Π° ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΡΠ΅Π»ΠΎΠ³ΠΎ ΡΡΠ΄Π° ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ
ΠΈ Π°ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ
ΠΊΡΠΈΠΏΡΠΎΠ°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ². Π’Π°ΠΊΠΆΠ΅ Π±ΡΠ» ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ ΡΡΠ΄ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ² ΠΎΡΡΡΠ΅ΡΡΠ²Π»Π΅Π½ΠΈΡ Π°ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π½Π° ΠΏΡΠΎΡΠ΅ΡΡ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΠΉ, Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ
ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΡΡΠ΅ΠΊΡΠΎΠ² ΠΈ ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΠ΅ΠΉ Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΠΎΠΉ ΡΡΠ΅Π΄Ρ. Π’Π°ΠΊΠΆΠ΅ Π°ΠΊΡΠΈΠ²Π½ΠΎ ΡΠ°Π·Π²ΠΈΠ²Π°ΡΡΡΡ ΠΈ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Ρ ΠΊ ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ°ΠΊΠΎΠ³ΠΎ ΡΠΎΠ΄Π° Π°ΡΠ°ΠΊΠ°ΠΌ. ΠΠ»Ρ ΡΡΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΠΊΠ°ΠΊ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΈΠ΅, ΡΠ°ΠΊ ΠΈ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΠΌΠ΅ΡΠΎΠ΄Ρ. ΠΠ΄Π½Π°ΠΊΠΎ ΡΠ»Π΅Π΄ΡΠ΅Ρ ΠΎΡΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΈ, ΠΈ Π±ΠΎΠ»Π΅Π΅ ΡΠ»ΠΎΠΆΠ½ΡΠ΅ ΠΊΡΠΈΠΏΡΠΎΡΡ
Π΅ΠΌΡ, ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΠ΅ ΠΈΡ
Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΊΠΈ ΠΈ ΡΠΈΡΡΠΎΠ²ΡΠ΅ ΠΏΠΎΠ΄ΠΏΠΈΡΠΈ), Π² ΡΠ°ΠΌΠΊΠ°Ρ
ΡΡΠΈΡ
ΡΠ°Π±ΠΎΡ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Ρ Π½Π΅Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ.ΠΠ°ΠΆΠ½ΠΎ ΠΎΡΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ Π΄Π»Ρ ΠΏΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠΉ Π°ΡΠ°ΠΊΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΎΡΠ΅ΡΠ°Π½ΠΈΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΡ
ΡΠ°ΠΊΡΠΎΡΠΎΠ²: Π½Π°Π»ΠΈΡΠΈΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π½Π° Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΡΠ΅ΡΡ, Π°Π΄Π΅ΠΊΠ²Π°ΡΠ½ΠΎΠΉ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΌΠΎΠ΄Π΅Π»ΠΈ Π΄Π°Π½Π½ΠΎΠ³ΠΎ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΈ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠ° Π°ΡΠ°ΠΊΠΈ --ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ². ΠΡΠΈ ΡΡΠΎΠΌ ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ ΠΈΠ· ΡΡΠΈΡ
Π·Π°Π΄Π°Ρ ΠΏΠΎ ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΠ΅Ρ ΡΠ°ΠΌΠΎΡΡΠΎΡΡΠ΅Π»ΡΠ½ΡΡ ΡΠ΅ΠΎΡΠ΅ΡΠΈΡΠ΅ΡΠΊΡΡ ΡΠ΅Π½Π½ΠΎΡΡΡ.Π Π΅Π·ΡΠ»ΡΡΠ°ΡΡ Π½Π°ΡΡΠΎΡΡΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ Π½Π΅ Π·Π°ΡΡΠ°Π³ΠΈΠ²Π°ΡΡ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΡΡ ΡΠΎΡΡΠ°Π²Π»ΡΡΡΡΡ Π°ΡΠ°ΠΊΠΈ, ΠΎΠ³ΡΠ°Π½ΠΈΡΠΈΠ²Π°ΡΡΡ Π»ΠΈΡΡ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΠΊΠΎΠΉ. ΠΠ½ΡΠΌΠΈ ΡΠ»ΠΎΠ²Π°ΠΌΠΈ, ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ². ΠΡΠΈ ΡΡΠΎΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½Π°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΡΠ±ΠΎΠ΅Π² ΡΡΠΈΡΠ°Π΅ΡΡΡ ΠΈΠ·Π²Π΅ΡΡΠ½ΠΎΠΉ ΠΈ Π·Π°Π΄Π°Π½Π½ΠΎΠΉ. Π Π°ΡΡΠΌΠΎΡΡΠ΅Π½ΠΎ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΎ ΡΠ°ΠΊΠΈΡ
ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ Π±Π°Π·ΠΈΡΡΡΡΡΡ Π½Π° Π°Π½Π°Π»ΠΎΠ³Π°Ρ
, ΡΠ°Π½Π΅Π΅ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½ΡΡ
Π΄Π»Ρ Π΄ΡΡΠ³ΠΈΡ
Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ².Π ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΎΠ±ΡΠ΅ΠΊΡΠ° ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠΉ Π²ΡΠ±ΡΠ°Π½Ρ Π΄Π²Π° ΡΡΠ°Π½Π΄Π°ΡΡΠ° ΡΠΎΡΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΎΠΊ: HMAC ΠΈ NMAC. Π£ΠΊΠ°Π·Π°Π½Π½ΡΠ΅ ΡΡΠ°Π½Π΄Π°ΡΡΡ ΠΌΠΎΠ³ΡΡ Π±Π°Π·ΠΈΡΠΎΠ²Π°ΡΡΡΡ Π½Π° Π»ΡΠ±ΠΎΠΉ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΈ, ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡΠ΅ΠΉ Π½ΡΠΆΠ½ΡΠΉ ΡΡΠΎΠ²Π΅Π½Ρ ΡΡΠΎΠΉΠΊΠΎΡΡΠΈ. Π Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½Ρ ΡΠ΅ΡΡΡΠ΅ ΠΏΡΠΈΠΌΠ΅ΡΠ° ΡΠΈΡΠΎΠΊΠΎΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½Π½ΡΡ
Ρ
ΡΡΠ΅ΠΉ: MD5, MD4, SHA-1, SHA-0.ΠΡΠ½ΠΎΠ²Π½ΡΠΌΠΈ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ°ΠΌΠΈ Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΡ ΡΠ²Π»ΡΡΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅:-Β Β Β Β ΠΏΠΎΡΡΡΠΎΠ΅Π½Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ Π² Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΡΠ΅ΡΡ, ΠΈ ΠΈΡ
Π΄Π°Π»ΡΠ½Π΅ΠΉΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π°, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠΈΠ΅ ΠΈΠ·Π²Π»Π΅ΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ (ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΠ΅ ΠΊΠ»ΡΡΠΈ);-Β Β Β Β Π½Π°ΠΉΠ΄Π΅Π½Ρ ΠΈ ΠΎΠ±ΠΎΡΠ½ΠΎΠ²Π°Π½Ρ ΠΎΡΠ΅Π½ΠΊΠΈ ΡΠ»ΠΎΠΆΠ½ΠΎΡΡΠΈ ΡΠ°ΠΊΠΈΡ
Π°ΡΠ°ΠΊ (Π² ΡΠ΅ΡΠΌΠΈΠ½Π°Ρ
ΡΠΈΡΠ»Π° Π²Π½ΠΎΡΠΈΠΌΡΡ
ΡΠ±ΠΎΠ΅Π² ΠΈ ΡΡΡΠ΄ΠΎΠ΅ΠΌΠΊΠΎΡΡΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π°) Π΄Π»Ρ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΡΠΎΡΠ΅ΡΠ°Π½ΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ²(Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ ΡΠ±ΠΎΠ΅Π²);-Β Β Β Β ΠΏΠΎΠΊΠ°Π·Π°Π½ΠΎ, ΡΡΠΎ Π°ΡΠ°ΠΊΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½Ρ Π·Π° ΡΠ°Π·ΡΠΌΠ½ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ
On FPGA-based implementations of Gr\{o}stl
The National Institute of Standards and Technology (NIST) has started a competition for a new secure hash standard. To make a significant comparison between the submitted candidates, third party implementations of all proposed hash functions are needed. This is one of the reasons why the SHA-3 candidate Gr\{o}stl has been chosen for a FPGA-based implementation.
Mainly our work is motivated by actual and future developments of the automotive market (e.g. car-2-car communication systems), which will increase the necessity for a suitable cryptographic infrastructure in modern vehicles (cf. AUTOSAR project) even further. One core component of such an infrastructure is a secure cryptographic hash function, which is used for a lot of applications like challenge-response authentication systems or digital signature schemes. Another motivation to evaluate Gr\{o}stl is its resemblance to AES.
The automotive market demands, like any mass market, low budget and therefore compact implementations, hence our evaluation of Gr\{o}stl focuses on area optimizations. It is shown that, while Gr\{o}stl is inherently quite large compared to AES, it is still possible to implement the Gr\{o}stl algorithm on small and low budget FPGAs like the second smallest available Spartan-3, while maintaining a reasonable high throughput
Breaking the FF3 Format Preserving Encryption
The NIST standard FF3 scheme (also known as BPS scheme) is a tweakable block cipher based on a 8-round Feistel Network. We break it with a practical attack. Our attack exploits the bad domain separation in FF3 design. The attack works with chosen plaintexts and tweaks when the message domain is small. Our FF3 attack requires chosen plaintexts with time complexity , where is domain size to the Feistel Network. Due to the bad domain separation in 8-round FF3, we reduced the FF3 attack to an attack on 4-round Feistel Networks. In our generic attack, we reconstruct the entire codebook of 4-round Feistel Network with known plaintexts and time complexity
An algebraic time-advantage-based key establishment protocol
In this thesis we have built a key-establishment protocol which takes advantage of a resource : time. When two devices spends a pre-determined, mostly uninterrupted time interval with each other they would be able to establish a key. However it is not just the quantity of time but also the quality which matters. The information gained about the key with time by the legitimate party can is flexible and can be chosen by the user. We have analyzed our protocol thoroughly and discussed the circumstances an adversary can gain access to information about the key
A Statistical Verification Method of Random Permutations for Hiding Countermeasure Against Side-Channel Attacks
As NIST is putting the final touches on the standardization of PQC (Post
Quantum Cryptography) public key algorithms, it is a racing certainty that
peskier cryptographic attacks undeterred by those new PQC algorithms will
surface. Such a trend in turn will prompt more follow-up studies of attacks and
countermeasures. As things stand, from the attackers' perspective, one viable
form of attack that can be implemented thereupon is the so-called "side-channel
attack". Two best-known countermeasures heralded to be durable against
side-channel attacks are: "masking" and "hiding". In that dichotomous picture,
of particular note are successful single-trace attacks on some of the NIST's
PQC then-candidates, which worked to the detriment of the former: "masking". In
this paper, we cast an eye over the latter: "hiding". Hiding proves to be
durable against both side-channel attacks and another equally robust type of
attacks called "fault injection attacks", and hence is deemed an auspicious
countermeasure to be implemented. Mathematically, the hiding method is
fundamentally based on random permutations. There has been a cornucopia of
studies on generating random permutations. However, those are not tied to
implementation of the hiding method. In this paper, we propose a reliable and
efficient verification of permutation implementation, through employing
Fisher-Yates' shuffling method. We introduce the concept of an n-th order
permutation and explain how it can be used to verify that our implementation is
more efficient than its previous-gen counterparts for hiding countermeasures.Comment: 29 pages, 6 figure
Cryptanalysis of Feistel-Based Format-Preserving Encryption
Format-Preserving Encryption (FPE) is a method to encrypt non-standard domains, thus allowing for securely encrypting not only binary strings, but also special domains, e.g., social security numbers into social security numbers. The need for those resulted in a few standardized constructions such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2. Moreover, there are currently efforts both in ANSI and in ISO to include such block ciphers to standards (e.g., the ANSI X9.124 discussing encryption for financial services).
Most of the proposed FPE schemes, such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2, are based on a Feistel construction with pseudo-random round functions. Moreover, to mitigate enumeration attacks against the possibly small domains, they all employ tweaks, which enrich the actual domain sizes.
In this paper we present distinguishing attacks against Feistel-based FPEs. We show a distinguishing attack against the full FF1 with data complexity of 20-bit plaintexts, against the full FF3-1
with data complexity of 20-bit plaintexts. For FEA-1 with 128-bit, 192-bit and 256-bit keys, the data complexity of the distinguishing attack is , , and 8-bit plaintexts, respectively. The data complexity of the distinguishing attack against the full FEA-2 with 128-bit, 192-bit and 256-bit is , , and 8-bit plaintexts, respectively. Moreover, we show how to extend the distinguishing attack on FEA-1 and FEA-2 using 192-bit and 256-bit keys into key recovery attacks with time complexity (for both attacks)
Approximate Thumbnail Preserving Encryption
Thumbnail preserving encryption (TPE) was suggested by Wright et al. as a way to balance privacy and usability for online image sharing. The idea is to encrypt a plaintext image into a ciphertext image that has roughly the same thumbnail as well as retaining the original image format. At the same time, TPE allows users to take advantage of much of the functionality of online photo management tools, while still providing some level of privacy against the service provider.
In this work we present three new approximate TPE encryption schemes. In our schemes, ciphertexts and plaintexts have perceptually similar, but not identical, thumbnails. Our constructions are the first TPE schemes designed to work well with JPEG compression. In addition, we show that they also have provable security guarantees that characterize precisely what information about the plaintext is leaked by the ciphertext image.
We empirically evaluate our schemes according to the similarity of plaintext and ciphertext thumbnails, increase in file size under JPEG compression, preservation of perceptual image hashes, among other aspects. We also show how approximate TPE can be an effective tool to thwart inference attacks by machine-learning image classifiers, which have shown to be effective against other image obfuscation techniques
Linear Cryptanalysis of FF3-1 and FEA
Improved attacks on generic small-domain Feistel ciphers with alternating round tweaks are obtained using linear cryptanalysis. This results in practical distinguishing and message-recovery attacks on the United States format-preserving encryption standard FF3-1 and the South-Korean standards FEA-1 and FEA-2. The data-complexity of the proposed attacks on FF3-1 and FEA-1 is , where is the domain size and is the number of rounds. For example, FF3-1 with can be distinguished from an ideal tweakable block cipher with advantage using encryption queries. Recovering the left half of a message with similar advantage requires data. The analysis of FF3-1 serves as an interesting real-world application of (generalized) linear cryptanalysis over the group
Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains
Feistel Networks (FN) are now being used massively to encrypt credit card numbers through format-preserving encryption. In our work, we focus on FN with two branches, entirely unknown round functions, modular additions (or other group operations), and when the domain size of a branch (called ) is small. We investigate round-function-recovery attacks. The best known attack so far is an improvement of Meet-In-The-Middle (MITM) attack by Isobe and Shibutani from ASIACRYPT~2013 with optimal data complexity and time complexity , where is the round number in FN. We construct an algorithm with a surprisingly better complexity when is too low, based on partial exhaustive search. When the data complexity varies from the optimal to the one of a codebook attack , our time complexity can reach . It crosses the complexity of the improved MITM for . We also estimate the lowest secure number of rounds depending on and the security goal. We show that the format-preserving-encryption schemes FF1 and FF3 standardized by NIST and ANSI cannot offer 128-bit security (as they are supposed to) for and , respectively (the NIST standard only requires ), and we improve the results by Durak and Vaudenay from CRYPTO~2017