Internal collision attack on Maraca

We present an internal collision attack against the new hash function Maraca which has been submitted to the SHA-3 competition. This attack requires 2^{237} calls to the round function and its complexity is lower than the complexity of the generic collision attack when the length of the message digest is greater than or equal to 512. It is shown that this cryptanalysis mainly exploits some particular differential properties of the inner permutation, which are in some sense in contradiction with the usual security criterion which guarantees the resistance to differential attacks

Exploiting algebraic properties of block ciphers

COST Training School on Symmetric Cryptography and Blockchain, Torremolinos, Spai

Secure building-blocks against differential and linear attacks

COST Training School on Symmetric Cryptography and Blockchain, Torremolinos, Spai

On the Origin of Trust: Struggle for Secure Cryptography

International audienceCryptographic primitives, like encryption schemes, hash functions... are the core of most security applications. But the trust that users place in these algorithms has been repeatedly violated. There are many examples of attacks which exploit weaknesses of the underlying cryptographic primitives, like the recent Logjam and Sloth attacks against TLS.So when can we trust cryptography? It should be clear that we cannot trust algorithms which do not have public design rationale and which have not been thoroughly studied. Most notably, the primitives recommended by the cryptographic community are those which have been chosen after an international competition.Within such an open contest, like the AES and the SHA-3 selection processes, all proposals have been carefully analyzed by all participants; their security margins have been evaluated. This ongoing cryptanalytic effort is the only reliable security argument to consider when deciding which primitive to trust

L'insoutenable légèreté du chiffrement

National audienc

Distinguishing and Key-recovery Attacks against Wheesht

Wheesht is one of the candidates to the CAESAR competition. In this note we present several attacks on Wheesht, showing that it is far from the advertised security level of 256 bits. In particular we describe a distinguishing attack with $2^{70.3}$ known plaintext words for any number of rounds of Wheesht, and a key-recovery attack (recovering the encryption key) for versions of Wheesht with a single finalization round with very little data and time complexity $2^{192}$

A further improvement of the work factor in an attempt at breaking McEliece's cryptosystem

Résumé disponible dans le fichier PD

Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256

International audienceThe zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size 2^{19} and 2^{10} for the finalization permutation in Hamsi-256

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting

International audienc