25 research outputs found
Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with -Bit Block and -Bit Key
In this paper, we make attacks on DBL (Double-Block-Length) hash
modes of block ciphers with -bit key and -bit block. Our
preimage attack on the hash function of MDC-4 scheme requires the
time complexity , which is significantly improved compared
to the previous results. Our collision attack on the hash function
of MJH scheme has time complexity less than for .
Our preimage attack on the compression function of MJH scheme find a
preimage with time complexity of . It is converted to a
preimage attack on the hash function with time complexity of
. Our preimage attack on the compression function of
Mennink\u27s scheme find a preimage with time complexity of .
It is converted to a preimage attack on the hash function with time
complexity of . These attacks are helpful for understanding the security of the hash
modes together with their security proofs
New Preimage Attack on MDC-4
In this paper, we provide some cryptanalytic results for
double-block-length (DBL) hash modes of block ciphers, MDC-4. Our
preimage attacks follow the framework of Knudsen et al.\u27s
time/memory trade-off preimage attack on MDC-2. We find how to apply
it to our objects. When the block length of the underlying block
cipher is bits, the most efficient preimage attack on MDC-4
requires time and space about , which is to be compared to
the previous best known preimage attack having time complexity of
. Additionally, we propose an enhanced version of MDC-4,
MDC-4 based on a simple idea. It is secure against our preimage
attack and previous attacks and has the same efficiency as MDC-4
Collision Resistance of the JH Hash Function
In this paper, we analyze collision resistance of the JH hash function in the ideal primitive model. The JH hash function is one
of the five SHA-3 candidates accepted for the final round of evaluation. The JH hash function uses a mode of operation based on a
permutation, while its security has been elusive even in the random
permutation model.
One can find a collision for the JH compression function only with
two backward queries to the basing primitive. However, the security
is significantly enhanced in iteration. For , we prove
that the JH hash function using an ideal -bit permutation and
producing -bit outputs by truncation is collision resistant up to
queries. This bound implies that the JH hash function
provides the optimal collision resistance in the random permutation
model
Conditional Cube Attacks on Ascon-128 and Ascon-80pq in a Nonce-misuse Setting
Ascon-128 and Ascon-80pq use 12-round Ascon permutation for initialization and finalization phases and 6-round Ascon permutation for processing associate data and message. In a nonce-misuse setting, we present a new partial-state-recovery conditional-cube attack on Ascon-128 and Ascon-80pq, where 192 bits out of 320-bit state are recovered. For our partial state-recovery attack, its required data complexity, , is about and its required memory complexity, , is negligible. After a 192-bit partial state is recovered, in a nonce-misuse setting, we can further recover the full 320-bit state with time complexity, , and then we can recover the secret key with extra data complexity of , extra time complexity of , and memory complexity of . A similar attack of recovering the partial state was independently developed by Baudrin et al. at NIST fifth Lightweight Cryptography workshop. Note that our attack does not violate the NIST LWC security requirements on Ascon-128 and Ascon-80pq as well as the designers\u27 claims
Classification of 4-bit S-boxes for BOGI-permutation
In this paper, we present all 4-bit S-boxes which are able to support BOGI logic. We exhaustively show that only 2,413 PXE classes of 4-bit S-box are BOGI-applicable among the 142,090,700 PXE classes. We evaluate the whole BOGI-applicable S-boxes in terms of the security and implementation costs. The security evaluation includes security strength of the S-boxes themselves, and how they affect the resistance of GIFT-64 against differential and linear cryptanalysis (DC and LC). The security evaluation shows that all the BOGI-applicable S-boxes fulfill the security criteria of GIFT designers as long as they have the differential uniformity and linearity as 6 and 8, respectively. It will also be shown that the security of GIFT-64 against DC and LC can be improved only by changing the S-box. Moreover, we evaluate the implementation costs of the BOGI-applicable S-boxes by finding their optimal implementation. The results show that GIFT S-box is well-chosen considering existence of fixed-points, and suggest a set of S-boxes providing the same implementation cost as GIFT S-box. Finally, we suggest a set of potentially better S-boxes for GIFT-64 based on our investigations
Preimage Attack on ARIRANG
The hash function ARIRANG is one of the 1st round SHA-3
candidates. In this paper, we present preimage attacks on ARIRANG
with step-reduced compression functions. We consider two
step-reduced variants of the compression function. First one uses
the same feedforward as the original algorithm, and the other
one has the feedforward working at the output of the half
steps. Our attack finds a preimage of the 33-step OFF(Original
FeedForward)-variants of ARIRANG-256 and ARIRANG-512 from Step
1 to Step 33, and a preimage of the 31-step MFF(Middle
FeedForward)-variants of ARIRANG-256 and ARIRANG-512 from Step
3 to Step 33
Efficient Differential Trail Searching Algorithm for ARX Block Ciphers
In this paper, we suggest an advanced method searching for differential trails of block cipher with ARX structure. We use two techniques to optimize the automatic search algorithm of differential trails suggested by Biryukov et al. and obtain 2~3 times faster results than the previous one when implemented in block cipher SPECK
New Impossible Differential Characteristic of SPECK64 using MILP
Impossible differential attack is one of powerful methods for analyzing block
ciphers. When designing block ciphers, it must be safe for impossible differential
attacks. In case of impossible differential attack, the attack starts from finding the
impossible differential characteristic. However, in the case of the ARX-based block
cipher, these analyzes were difficult due to the addition of modulus. In this paper,
we introduce 157 new six-round impossible differential characteristics of
ARX-basef block cipher, SPECK64, using Mixed Integer Linear Programming
(MILP) base impossible differential characteristic search proposed by Cui [3] etc
Resistance of Ascon Family against Conditional Cube Attacks in Nonce-Misuse Setting
Ascon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the resistance of the Ascon~family against conditional cube attacks in nonce-misuse setting, and present new state- and key-recovery attacks. Our attack recovers the full state information and the secret key of Ascon-128a using 7-round Ascon-permutation for the encryption phase, with data and time. This is the best known attack result for Ascon-128a as far as we know. We also show that the partial state information of Ascon-128 can be recovered with data. Finally, by assuming that the full state information of Ascon-80pq was recovered by Baudrin et al.\u27s attack, we show that the 160-bit secret key of Ascon-80pq can be recovered with time. Although our attacks do not invalidate designers\u27 claim, those allow us to understand the security of Ascon in nonce-misuse setting
Shining Light on the Shadow: Full-round Practical Distinguisher for Lightweight Block Cipher Shadow
Shadow is a lightweight block cipher proposed at IEEE IoT journal 2021. Shadow’s main design principle is adopting a variant 4- branch Feistel structure in order to provide a fast diffusion rate. We define such a structure as Shadow structure and prove that it is al- most identical to the Generalized Feistel Network, which invalidates the design principle. Moreover, we give a structural distinguisher that can distinguish Shadow structure from random permutation with only two plaintext/ciphertext pairs. By exploiting the key schedule, the distin- guisher can be extended to key recovery attack with only one plain- text/ciphertext pair. Furthermore, by considering Shadow’s round func- tion, only certain forms of monomials can appear in the ciphertext, re- sulting in an integral distinguisher of four plaintext/ciphertext pairs. Even more, the algebraic degree does not increase more than 12 for Shadow-32 and 20 for Shadow-64 regardless of rounds used. Our results show that Shadow is highly vulnerable to algebraic attacks, and that algebraic attacks should be carefully considered when designing ciphers with AND, rotation, and XOR operations