Cryptanalysis of 1-Round KECCAK

In this paper, we give the first pre-image attack against 1- round KECCAK-512 hash function, which works for all variants of 1- round KECCAK. The attack gives a preimage of length less than 1024 bits by solving a system of 384 linear equations. We also give a collision attack against 1-round KECCAK using similar analysis

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak

In this paper, we analyze the security of round-reduced versions of the Keccak hash function family. Based on the work pioneered by Aumasson and Meier, and Dinur et al., we formalize and develop a technique named linear structure, which allows linearization of the underlying permutation of Keccak for up to 3 rounds with large number of variable spaces. As a direct application, it extends the best zero-sum distinguishers by 2 rounds without increasing the complexities. We also apply linear structures to preimage attacks against Keccak. By carefully studying the properties of the underlying Sbox, we show bilinear structures and find ways to convert the information on the output bits to linear functions on input bits. These findings, combined with linear structures, lead us to preimage attacks against up to 4-round Keccak with reduced complexities. An interesting feature of such preimage attacks is low complexities for small variants. As extreme examples, we can now find preimages of 3-round SHAKE128 with complexity 1, as well as the first practical solutions to two 3-round instances of Keccak challenge. Both zero-sum distinguishers and preimage attacks are verified by implementations. It is noted that the attacks here are still far from threatening the security of the full 24-round Keccak

Preimage Attacks on Round-reduced Keccak-224/256 via an Allocating Approach

We present new preimage attacks on standard Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. An allocating approach is used in the attacks, and the whole complexity is allocated to two stages, such that fewer constraints are considered and the complexity is lowered in each stage. Specifically, we are trying to find a 2-block preimage, instead of a 1-block one, for a given hash value, and the first and second message blocks are found in two stages, respectively. Both the message blocks are constrained by a set of newly proposed conditions on the middle state, which are weaker than those brought by the initial values and the hash values. Thus, the complexities in the two stages are both lower than that of finding a 1-block preimage directly. Together with the basic allocating approach, an improved method is given to balance the complexities of two stages, and hence, obtains the optimal attacks. As a result, we present the best theoretical preimage attacks on Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. Moreover, we practically found a (second) preimage for 3-round Keccak-224 with a complexity of 2^{39.39}

New Results on the SymSum Distinguisher on Round-Reduced SHA3

In ToSC 2017 Saha et al. demonstrated an interesting property of SHA3 based on higher-order vectorial derivatives which led to self-symmetry based distinguishers referred to as SymSum and bettered the complexity w.r.t the well-studied ZeroSum distinguisher by a factor of 4. This work attempts to take a fresh look at this distinguisher in the light of the linearization technique developed by Guo et al. in Asiacrypt 2016. It is observed that the efficiency of SymSum against ZeroSum drops from 4 to 2 for any number of rounds linearized. This is supported by theoretical proofs. SymSum augmented with linearization can penetrate up to two more rounds as against the classical version. In addition to that, one more round is extended by inversion technique on the final hash values. The combined approach leads to distinguishers up to 9 rounds of SHA3 variants with a complexity of only 264 which is better than the equivalent ZeroSum distinguisher by the factor of 2. To the best of our knowledge this is the best distinguisher available on this many rounds of SHA3

The ventilation of buildings and other mitigating measures for COVID-19: a focus on wintertime.

The year 2020 has seen the emergence of a global pandemic as a result of the disease COVID-19. This report reviews knowledge of the transmission of COVID-19 indoors, examines the evidence for mitigating measures, and considers the implications for wintertime with a focus on ventilation.This work was undertaken as a contribution to the Rapid Assistance in Modelling the Pandemic (RAMP) initiative, coordinated by the Royal Society

The ventilation of buildings and other mitigating measures for COVID-19: a focus on wintertime.

The year 2020 has seen the emergence of a global pandemic as a result of the disease COVID-19. This report reviews knowledge of the transmission of COVID-19 indoors, examines the evidence for mitigating measures, and considers the implications for wintertime with a focus on ventilation

DLCT: A New Tool for Differential-Linear Cryptanalysis

Differential cryptanalysis and linear cryptanalysis are the two best-known techniques for cryptanalysis of block ciphers. In 1994, Langford and Hellman introduced the differential-linear (DL) attack based on dividing the attacked cipher $E$ into two subciphers $E_0$ and $E_1$ and combining a differential characteristic for $E_0$ with a linear approximation for $E_1$ into an attack on the entire cipher $E$. The DL technique was used to mount the best known attacks against numerous ciphers, including the AES finalist Serpent, ICEPOLE, COCONUT98, Chaskey, CTC2, and 8-round DES. Several papers aimed at formalizing the DL attack, and formulating assumptions under which its complexity can be estimated accurately. These culminated in a recent work of Blondeau, Leander, and Nyberg (Journal of Cryptology, 2017) which obtained an accurate expression under the sole assumption that the two subciphers $E_0$ and $E_1$ are independent. In this paper we show that in many cases, dependency between the two subcipher s significantly affects the complexity of the DL attack, and in particular, can be exploited by the adversary to make the attack more efficient. We present the Differential-Linear Connectivity Table (DLCT) which allows us to take into account the dependency between the two subciphers, and to choose the differential characteristic in $E_0$ and the linear approximation in $E_1$ in a way that takes advantage of this dependency. We then show that the DLCT can be constructed efficiently using the Fast Fourier Transform. Finally, we demonstrate the strength of the DLCT by using it to improve differential-linear attacks on ICEPOLE and on 8-round DES, and to explain published experimental results on Serpent and on the CAESAR finalist Ascon which did not comply with the standard differential-linear framework

Wykorzystanie wspólnej informacji w dekompozycji rozłącznej wielowyjściowych funkcji boolowskich

In the article it is described a new method of using a disjoint decomposition as a part of a functional decomposition. The functional decomposition has important applications in many fields of modern engineering and science (FPGA synthesis, information systems, neural networks and many others). The presented algorithm is dedicated to multioutput boolean functions. The concept is based on dividing the complex function into single output functions and then utilizing common information existing in these functions. To test the algorithm, the prototype tool was implemented and the results are presented in the paper.W artykule zostanie przedstawiona nowa metoda wykorzystania dekompozycji rozłącznej jako elementu dekompozycji funkcjonalnej. Dekompozycja funkcjonalna ma zastosowania w wielu dziedzinach elektroniki, informatyki czy telekomunikacji (np. synteza układów FPGA, systemy informacyjne, sieci neuronowe, synteza filtrów cyfrowych). Zaproponowany algorytm dedykowany jest wielowyjściowym funkcjom boolowskim. Działanie algorytmu bazuje na dekompozycji równoległej i wykorzystaniu wspólnej informacji tkwiącej w dekomponowanych podfunkcjach

Metoda doboru zmiennych w dekompozycji funkcjonalnej bazująca na ekspansji Shannona

Functional decomposition has important applications in many fields of modern engineering and science. The practical usefulness of decomposition-based methods for very complex systems is restricted by computational complexity and memory requirements of existing algorithms. Efficiency of currently used decomposition algorithms is dependent on the size of decomposed functions. One of the crucial parts of functional decomposition is the input variable partitioning. In this paper, the "divide-and-conquer" paradigm is used to propose a new input variable partitioning method. It has to be stressed that proposed method is not the input variable partition algorithm itself. It should be treated as a general scheme, method which can be combined with the algorithms generating input variable partitions (systematically, heuristically or by algorithms based on BDD).Dekompozycja funkcjonalna ma zastosowania w wielu dziedzinach współczesnej nauki. W artykule zostaje zaproponowany algorytm, który pozwoli na skrócenie czasu obliczeń na etapie doboru zmiennych w dekompozycji funkcjonalnej. Opisana metoda bazuje na paradygmacie "dziel i rządź", wykorzystuje ekspansję Shannona. Należy podkreślić, iż zaproponowana metoda nie jest algorytmem doboru zmiennych samym w sobie. Stanowi ogólny schemat, który może być wykorzystany wraz z innymi metodami doboru zmiennych (metoda systematyczna, metody heurystyczne, metody oparte n

On the Substitution of Zr4+ by Fe3+ Ions in Silica-Rich Nasicon

score: 0collation: 91-9