The Symbiosis between Collision and Preimage Resistance

We revisit the definitions of preimage resistance, focussing on the question of finding a definition that is simple enough to prove security against, yet flexible enough to be of use for most applications. We give an in-depth analysis of existing preimage resistance notions, introduce several new notions, and establish relations and separations between the known and new preimage notions. This establishes a clear separation between domain-oriented and range-oriented preimage resistance notions. For the former an element is chosen from the domain and hashed to form the target digest; for the latter the target digest is chosen directly from the range. In particular, we show that Rogaway and Shrimpton’s notion of everywhere preimage resistance on its own is less powerful than previously thought. However, we prove that in conjunction with collision resistance, everywhere preimage resistance implies ‘ordinary’ (domain-based) preimage resistance. We show the implications of our result for iterated hash functions and hash chains, where the latter is related to the Winternitz one-time signature scheme.status: publishe

Leakage-Resilient and Misuse-Resistant Authenticated Encryption

Leakage-resilience and misuse-resistance are two important properties for the deployment of authenticated encryption schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss their interactions and incompatibilities. For this purpose, we first show a generic composition mode of a MAC with an encryption scheme that leads to a misuse-resistant authenticated encryption scheme, and also show that misuse-resistance does not hold anymore in the presence of leakages, even when relying on leakage-resilient MACs and encryption schemes. Next, we argue that full misuse-resistance with leakage may be impossible to achieve with simple primitives such as hash functions and block ciphers. As a result, we formalize a new security notion of ciphertext integrity with misuse and leakage, which seems to be the best that can be achieved in a symmetric cryptographic setting, and describe first efficient constructions satisfying it

Design and Analysis of Multi-Block-Length Hash Functions

Cryptographic hash functions are used in many cryptographic applications, and the design of provably secure hash functions (relative to various security notions) is an active area of research. Most of the currently existing hash functions use the Merkle-Damgård paradigm, where by appropriate iteration the hash function inherits its collision and preimage resistance from the underlying compression function. Compression functions can either be constructed from scratch or be built using well-known cryptographic primitives such as a blockcipher. One classic type of primitive-based compression functions is single-block-length : It contains designs that have an output size matching the output length n of the underlying primitive. The single-block-length setting is well-understood. Yet even for the optimally secure constructions, the (time) complexity of collision- and preimage-finding attacks is at most 2n/2, respectively 2n ; when n = 128 (e.g., Advanced Encryption Standard) the resulting bounds have been deemed unacceptable for current practice. As a remedy, multi-block-length primitive-based compression functions, which output more than n bits, have been proposed. This output expansion is typically achieved by calling the primitive multiple times and then combining the resulting primitive outputs in some clever way. In this thesis, we study the collision and preimage resistance of certain types of multi-call multi-block-length primitive-based compression (and the corresponding Merkle-Damgård iterated hash) functions : Our contribution is three-fold. First, we provide a novel framework for blockcipher-based compression functions that compress 3n bits to 2n bits and that use two calls to a 2n-bit key blockcipher with block-length n. We restrict ourselves to two parallel calls and analyze the sufficient conditions to obtain close-to-optimal collision resistance, either in the compression function or in the Merkle-Damgård iteration. Second, we present a new compression function h: {0,1}3n → {0,1}2n ; it uses two parallel calls to an ideal primitive (public random function) from 2n to n bits. This is similar to MDC-2 or the recently proposed MJH by Lee and Stam (CT-RSA'11). However, unlike these constructions, already in the compression function we achieve that an adversary limited (asymptotically in n) to O (22n(1-δ)/3) queries (for any δ > 0) has a disappearing advantage to find collisions. This is the first construction of this type offering collision resistance beyond 2n/2 queries. Our final contribution is the (re)analysis of the preimage and collision resistance of the Knudsen-Preneel compression functions in the setting of public random functions. Knudsen-Preneel compression functions utilize an [r,k,d] linear error-correcting code over 𝔽2e (for e > 1) to build a compression function from underlying blockciphers operating in the Davies-Meyer mode. Knudsen and Preneel show, in the complexity-theoretic setting, that finding collisions takes time at least 2(d-1)n2. Preimage resistance, however, is conjectured to be the square of the collision resistance. Our results show that both the collision resistance proof and the preimage resistance conjecture of Knudsen and Preneel are incorrect : With the exception of two of the proposed parameters, the Knudsen-Preneel compression functions do not achieve the security level they were designed for

Better Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions

The MD transform that underlies the MD and SHA families iterates a compression function $\mathsf{h}$ to get a hash function $\mathsf{H}$. The question we ask is, what property X of $\mathsf{h}$ guarantees collision resistance (CR) of $\mathsf{H}$? The classical answer is that X itself be CR. We show that weaker conditions X, in particular forms of what we call constrained-CR, suffice. This reduces demands on compression functions, to the benefit of security, and also, forensically, explains why collision-finding attacks on compression functions have not, historically, lead to immediate breaks of the corresponding hash functions. We obtain our results via a definitional framework called RS security, and a parameterized treatment of MD, that also serve to unify prior work and variants of the transform

Authenticated Encryption with Nonce Misuse and Physical Leakages: Definitions, Separation Results, and Leveled Constructions

We propose definitions and constructions of authenticated encryption (AE) schemes that offer security guarantees even in the presence of nonce misuse and side-channel leakages. This is part of an important ongoing effort to make AE more robust, while preserving appealing efficiency properties. Our definitions consider an adversary enhanced with the leakages of all the computations of an AE scheme, together with the possibility to misuse nonces, be it during all queries (in the spirit of misuse-resistance), or only during training queries (in the spirit of misuse-resilience recently introduced by Ashur et al.). These new definitions offer various insights on the effect of leakages in the security landscape. In particular, we show that, in contrast with the black-box setting, leaking variants of INT-CTXT and IND-CPA security do not imply a leaking variant IND-CCA security, and that leaking variants of INT-PTXT and IND-CCA do not imply a leaking variant of INT-CTXT. Eventually, we propose first instances of modes of operations that satisfy our definitions. In order to optimize their efficiency, we aim at modes that support leveled implementations such that the encryption and decryption operations require the use of a small constant number of evaluations of an expensive and heavily protected component, while the bulk of the computations can be performed by cheap and weakly protected block cipher implementations

Some Theoretical Conditions for Menezes--Qu--Vanstone Key Agreement to Provide Implicit Key Authentication

Menezes--Qu--Vanstone key agreement (MQV) is intended to provide implicit key authentication (IKA) and several other security objectives. MQV is approved and specified in five standards. This report focuses on the IKA of two-pass MQV, without key confirmation. Arguably, implicit key authentication is the most essential security objective in authenticated key agreement. The report examines various necessary or sufficient formal conditions under which MQV may provide IKA. Incidentally, this report defines, relies on, and inter-relates various conditions on the key deriviation function and Diffie--Hellman groups. While it should be expected that most such definitions and results are already well-known, a reader interested in these topics may be interested in this report as a kind of review, even if they have no interest in MQV whatsoever

Blockchain, parameterisation and automated arbitrage applied to the chemical industry

This thesis considers three scenarios related to chemical industry where the concepts of eco-industrial parks (EIPs), Industry 4.0, parameterisation, blockchain and arbitrage are brought together to explore the issues of simulation speed and accuracy, machine-to-machine (M2M) communication and automated participation in financial markets. In the first scenario, a biodiesel plant flow sheet model is analysed and parameterised. The relations between 11 inputs typical to a biodiesel plant and its energy requirements are approximated using surrogate models, of which accuracy is assessed. Additionally, the effects of dimensionality, domain size and surrogate type on the accuracy are investigated and global sensitivities of the outputs are computed using High Dimensional Model Representation (HDMR). Most surrogate models achieved at least a reasonable fit regardless of the domain size and number of dimensions. It was observed that in all cases only 4 or fewer inputs have significant influence on any of the outputs and that the interaction terms have only minor effect on any one output. In the second scenario, applications of blockchain technology related to Industry 4.0 are explored and an example where blockchain is employed to facilitate M2M interactions and establish a M2M electricity market in the context of the chemical industry is presented. Successful implementation of two electricity producers and one electricity consumer trading with each other over a blockchain-based network is presented. In the third scenario, an automated arbitrage spotter is developed and applied to two cases: conversion of natural gas to methanol and crude palm oil to biodiesel. The spotter is designed to search for opportunities to make additional profit by analysing the futures market prices for both the reagent and the product. It considers cost of storage and conversion (other feedstock, steam, electricity and other utilities) derived from physical simulations of the chemical process. In a profitable scenario up to 345.17 USD per tonne of biodiesel can be earned by buying contracts for delivery of crude palm oil in September 2018 and selling contracts for delivery of biodiesel in December 2018 in a ratio of 4 to 1.Department of Chemical Engineering and Biotechnology in the University of Cambridge and Cambridge CARES Ltd

Logistics oriented analysis of the integration of blockchain and Internet of Things

This thesis’s purpose is to make an in-depth analysis about Blockchain (BC) and Internet of Things (IoT) technologies. Characteristics, purpose and use cases from these two fields will be studied individually and afterwards a research about how can they interact both in a general and also a logistic-oriented point of view will be conducted. The issue will be addressed by summarizing the latest scientific literature, consisting on a systematic review of articles and papers from prestigious institutions and authors announcing the current state of the art of IoT and Blockchain.Outgoin

Proceedings of SAT Competition 2013 : Solver and Benchmark Descriptions

Peer reviewe

ICR ANNUAL REPORT 2020 (Volume 27)[All Pages]

This Annual Report covers from 1 January to 31 December 202