Cryptanalysis of 1-Round KECCAK

In this paper, we give the first pre-image attack against 1- round KECCAK-512 hash function, which works for all variants of 1- round KECCAK. The attack gives a preimage of length less than 1024 bits by solving a system of 384 linear equations. We also give a collision attack against 1-round KECCAK using similar analysis

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak

In this paper, we analyze the security of round-reduced versions of the Keccak hash function family. Based on the work pioneered by Aumasson and Meier, and Dinur et al., we formalize and develop a technique named linear structure, which allows linearization of the underlying permutation of Keccak for up to 3 rounds with large number of variable spaces. As a direct application, it extends the best zero-sum distinguishers by 2 rounds without increasing the complexities. We also apply linear structures to preimage attacks against Keccak. By carefully studying the properties of the underlying Sbox, we show bilinear structures and find ways to convert the information on the output bits to linear functions on input bits. These findings, combined with linear structures, lead us to preimage attacks against up to 4-round Keccak with reduced complexities. An interesting feature of such preimage attacks is low complexities for small variants. As extreme examples, we can now find preimages of 3-round SHAKE128 with complexity 1, as well as the first practical solutions to two 3-round instances of Keccak challenge. Both zero-sum distinguishers and preimage attacks are verified by implementations. It is noted that the attacks here are still far from threatening the security of the full 24-round Keccak

Classification of Two-Dimensional Gas Chromatography Data

Gas chromatography (GC) is a popular tool for chemical analysis. Some samples are so complex that a single column does not have enough power to separate all of the analytes. In this instance a higher resolution GC method, known as comprehensive two-dimensional gas chromatography (GCxGC), is used. DSTL want to be able to use data from GCxGC to attribute samples to a particular region or cultivar. However, the nature of the data means that several difficulties must be overcome before being able to do this: noise from sample, peak mis-alignment, and low quantity of samples. In this report, we investigate several methods to overcome such difficulties, and then classify the data. We are very successful in telling apart blanks from seeds, but obtain limited success when trying to classify between seeds. The method that shows the most promise is k-Nearest Neighbours classification by Wasserstein distance. However, this is still quite sensitive to the noise created by the solvent in the sample. Thus, we suggest that more blank runs be obtained, so that the ‘ground truth’ behaviour of the solvent is better understood, allowing us to remove the effect of the solvent from seed data. We also hope that the methods explored here will be more successful on the full raw data than they were on the limited ‘peaks’ data available to us for the purpose of this study

Preimage Attacks on Round-reduced Keccak-224/256 via an Allocating Approach

We present new preimage attacks on standard Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. An allocating approach is used in the attacks, and the whole complexity is allocated to two stages, such that fewer constraints are considered and the complexity is lowered in each stage. Specifically, we are trying to find a 2-block preimage, instead of a 1-block one, for a given hash value, and the first and second message blocks are found in two stages, respectively. Both the message blocks are constrained by a set of newly proposed conditions on the middle state, which are weaker than those brought by the initial values and the hash values. Thus, the complexities in the two stages are both lower than that of finding a 1-block preimage directly. Together with the basic allocating approach, an improved method is given to balance the complexities of two stages, and hence, obtains the optimal attacks. As a result, we present the best theoretical preimage attacks on Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. Moreover, we practically found a (second) preimage for 3-round Keccak-224 with a complexity of 2^{39.39}

New Results on the SymSum Distinguisher on Round-Reduced SHA3

In ToSC 2017 Saha et al. demonstrated an interesting property of SHA3 based on higher-order vectorial derivatives which led to self-symmetry based distinguishers referred to as SymSum and bettered the complexity w.r.t the well-studied ZeroSum distinguisher by a factor of 4. This work attempts to take a fresh look at this distinguisher in the light of the linearization technique developed by Guo et al. in Asiacrypt 2016. It is observed that the efficiency of SymSum against ZeroSum drops from 4 to 2 for any number of rounds linearized. This is supported by theoretical proofs. SymSum augmented with linearization can penetrate up to two more rounds as against the classical version. In addition to that, one more round is extended by inversion technique on the final hash values. The combined approach leads to distinguishers up to 9 rounds of SHA3 variants with a complexity of only 264 which is better than the equivalent ZeroSum distinguisher by the factor of 2. To the best of our knowledge this is the best distinguisher available on this many rounds of SHA3

The ventilation of buildings and other mitigating measures for COVID-19: a focus on wintertime.

The year 2020 has seen the emergence of a global pandemic as a result of the disease COVID-19. This report reviews knowledge of the transmission of COVID-19 indoors, examines the evidence for mitigating measures, and considers the implications for wintertime with a focus on ventilation.This work was undertaken as a contribution to the Rapid Assistance in Modelling the Pandemic (RAMP) initiative, coordinated by the Royal Society

Optimisation of Fluid Mixing in a Hydrosacc⃝ Growing Module

A mathematical model is sought for the flow of nutrients in the Hydrosac⃝c growing module being developed by Phytoponics. The basic operation involves long fluid-filled bags with periodic growing zones from which root systems emerge into the bulk fluid. The system is periodically perturbed via two main processes: partial drainage and refilling of each bag with nutrient infused water, with inlet and outlet at opposite ends of the bag; and a more violent oxygenation of the water through bubbles that rise from the pores of an aeration tube that runs underneath the central long axis of the bag. The aim of the modelling is to determine the key parameters and fluid regimes underlying the nutrient mixing process, to ensure that required nutrient levels are maintained through- out the root zones, and to enable optimal scheduling of the nutrient and bubble flow. Simple experiments were performed via the injection of dye into an operating Hydrosac⃝c that contained semi-mature plants. This enabled a basic understanding of the time and lengthscales of nutrient flow, and also the extent to which mixing occurs in different zones within the bag. Four different flow regimes are identified. At the scale of a single root, a Stokes-flow approximation may be used. At the scale of the individual plant, a so-called Brinkman flow regime may be employed which is describes a transition between slow porous- medium flow and fast channel flow. These equations may be homogenised into a 1D model that can be used to estimate the macro-scale flow of nutrients along the length of the bag. A shear flow model is used to predict the extent to which this flow permeates into regions dominated by plant roots. This leads to the requirement to model the bubble-driven flow within a bag cross-section containing a plant. Simplified two-phase flow equations are de- rived and solved within the software COMSOL. The results suggest that the bubble flow is sufficient to drive recirculating flow, which is also found to be consistent with previous literature. The overall conclusion is that both the periodic flow of nutrients and the aeration are re- quired in order to enable even nutrient spread in the Hydrosac⃝c . Wave effects can be ignored, as can the effect of stagnated nutrient diffusion. The longitudinal nutrient flow enables the whole sack to be reached on the time scale of several cycles of the main inlet flow, while the recirculation from the bubble flow enables enables nutrients to spread within the plant roots. Nevertheless, regions of stagnation can occur via this process near any sharp corners of the bag. It is recommend that the various analyses are combined into a a reduced-order mathemat- ical model that can be used to optimise the dynamic operation of the Hydrosac⃝c , which can also be adaptable to other geometries and growing conditions

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Conditional cube attack is an efficient key-recovery attack on Keccak keyed modes proposed by Huang et al. at EUROCRYPT 2017. By assigning bit conditions, the diffusion of a conditional cube variable is reduced. Then, using a greedy algorithm (Algorithm 4 in Huang et al.\u27s paper), Huang et al. find some ordinary cube variables, that do not multiply together in the 1st round and do not multiply with the conditional cube variable in the 2nd round. Then the key-recovery attack is launched. The key part of conditional cube attack is to find enough ordinary cube variables. Note that, the greedy algorithm given by Huang et al. adds ordinary cube variable without considering its bad effect, i.e. the new ordinary cube variable may result in that many other variables could not be selected as ordinary cube variable (they multiply with the new ordinary cube variable in the first round). In this paper, we bring out a new MILP model to solve the above problem. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.\u27s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found. Using this new MILP tool, we improve Huang et al.\u27s key-recovery attacks on reduced-round Keccak-MAC-384 and Keccak-MAC-512 by 1 round, get the first 7-round and 6-round key-recovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round key-recovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 6-6-6 pattern to launch 7-round key-recovery attack

The ventilation of buildings and other mitigating measures for COVID-19: a focus on wintertime.

The year 2020 has seen the emergence of a global pandemic as a result of the disease COVID-19. This report reviews knowledge of the transmission of COVID-19 indoors, examines the evidence for mitigating measures, and considers the implications for wintertime with a focus on ventilation

DLCT: A New Tool for Differential-Linear Cryptanalysis

Differential cryptanalysis and linear cryptanalysis are the two best-known techniques for cryptanalysis of block ciphers. In 1994, Langford and Hellman introduced the differential-linear (DL) attack based on dividing the attacked cipher $E$ into two subciphers $E_0$ and $E_1$ and combining a differential characteristic for $E_0$ with a linear approximation for $E_1$ into an attack on the entire cipher $E$. The DL technique was used to mount the best known attacks against numerous ciphers, including the AES finalist Serpent, ICEPOLE, COCONUT98, Chaskey, CTC2, and 8-round DES. Several papers aimed at formalizing the DL attack, and formulating assumptions under which its complexity can be estimated accurately. These culminated in a recent work of Blondeau, Leander, and Nyberg (Journal of Cryptology, 2017) which obtained an accurate expression under the sole assumption that the two subciphers $E_0$ and $E_1$ are independent. In this paper we show that in many cases, dependency between the two subcipher s significantly affects the complexity of the DL attack, and in particular, can be exploited by the adversary to make the attack more efficient. We present the Differential-Linear Connectivity Table (DLCT) which allows us to take into account the dependency between the two subciphers, and to choose the differential characteristic in $E_0$ and the linear approximation in $E_1$ in a way that takes advantage of this dependency. We then show that the DLCT can be constructed efficiently using the Fast Fourier Transform. Finally, we demonstrate the strength of the DLCT by using it to improve differential-linear attacks on ICEPOLE and on 8-round DES, and to explain published experimental results on Serpent and on the CAESAR finalist Ascon which did not comply with the standard differential-linear framework