23 research outputs found
Cryptanalysis of Some AES-based Cryptographic Primitives
Current information security systems rely heavily on symmetric key cryptographic primitives
as one of their basic building blocks. In order to boost the efficiency of the security systems, designers
of the underlying primitives often tend to avoid the use of provably secure designs. In fact, they adopt
ad hoc designs with claimed security assumptions in the hope that they resist known cryptanalytic
attacks. Accordingly, the security evaluation of such primitives continually remains an open field. In
this thesis, we analyze the security of two cryptographic hash functions and one block cipher. We
primarily focus on the recent AES-based designs used in the new Russian Federation cryptographic
hashing and encryption suite GOST because the majority of our work was carried out during the open
research competition run by the Russian standardization body TC26 for the analysis of their new
cryptographic hash function Streebog. Although, there exist security proofs for the resistance of AES-
based primitives against standard differential and linear attacks, other cryptanalytic techniques such as
integral, rebound, and meet-in-the-middle attacks have proven to be effective. The results presented in
this thesis can be summarized as follows:
Initially, we analyze various security aspects of the Russian cryptographic hash function GOST
R 34.11-2012, also known as Streebog or Stribog. In particular, our work investigates five security
aspects of Streebog. Firstly, we present a collision analysis of the compression function and its in-
ternal cipher in the form of a series of modified rebound attacks. Secondly, we propose an integral
distinguisher for the 7- and 8-round compression function. Thirdly, we investigate the one wayness of Streebog with respect to two approaches of the meet-in-the-middle attack, where we present a
preimage analysis of the compression function and combine the results with a multicollision attack
to generate a preimage of the hash function output. Fourthly, we investigate Streebog in the context
of malicious hashing and by utilizing a carefully tailored differential path, we present a backdoored
version of the hash function where collisions can be generated with practical complexity. Lastly, we
propose a fault analysis attack which retrieves the inputs of the compression function and utilize it to
recover the secret key when Streebog is used in the keyed simple prefix and secret-IV MACs, HMAC,
or NMAC. All the presented results are on reduced round variants of the function except for our analysis
of the malicious version of Streebog and our fault analysis attack where both attacks cover the full
round hash function.
Next, we examine the preimage resistance of the AES-based Maelstrom-0 hash function which is
designed to be a lightweight alternative to the ISO standardized hash function Whirlpool. One of the
distinguishing features of the Maelstrom-0 design is the proposal of a new chaining construction called
3CM which is based on the 3C/3C+ family. In our analysis, we employ a 4-stage approach that uses
a modified technique to defeat the 3CM chaining construction and generates preimages of the 6-round
reduced Maelstrom-0 hash function.
Finally, we provide a key recovery attack on the new Russian encryption standard GOST R 34.12-
2015, also known as Kuznyechik. Although Kuznyechik adopts an AES-based design, it exhibits a
faster diffusion rate as it employs an optimal diffusion transformation. In our analysis, we propose
a meet-in-the-middle attack using the idea of efficient differential enumeration where we construct
a three round distinguisher and consequently are able to recover 16-bytes of the master key of the
reduced 5-round cipher. We also present partial sequence matching, by which we generate, store, and
match parts of the compared parameters while maintaining negligible probability of matching error,
thus the overall online time complexity of the attack is reduced
Unlinkable Policy-based Sanitizable Signatures
In CT-RSA 2020, P3S was proposed as the first policy-based sanitizable signature scheme which allows the signer to designate future message sanitizers by defining an access policy relative to their attributes rather than their keys. However, since P3S utilizes a policy-based chameleon hash (PCH), it does not achieve unlinkability which is a required notion in privacy-preserving applications. Moreover, P3S requires running a procedure to share the secret trapdoor information for PCH with each new sanitizer before sanitizing a new message. We further observe that in order to maintain the transparency in P3S’s multiple-sanitizers setting, the signature size should grow linearly with the number of sanitizers. In this work, we propose an unlinkable policy-based sanitizable signature scheme (UP3S) where we employ a rerandomizable digital signature scheme and a traceable attribute-based signature scheme as its building blocks. Compared to P3S, UP3S achieves unlinkability, does not require new secrets to be shared with future sanitizers prior to sanitizing each message, and has a fixed signature size for a given sanitization policy. We define and formally prove the security notions of the generic scheme, propose an instantiation of UP3S utilizing the Pointcheval-Sanders rerandomizable signature scheme and DTABS traceable attribute-based signature scheme, and analyze its efficiency. Finally, we compare UP3S with P3S in terms of the features of the procedures, scalability, and security models
Traceable Policy-Based Signatures with Delegation
In PKC 2014, a policy-based signature (PBS) scheme was proposed by Bellare and Fuchsbauer in which a signer can only sign messages conforming to some policy specified by an issuing authority. PBS construction supports the delegation of signing policy keys with possible restrictions to the original policy. Although the PBS scheme is meant to restrict the signing privileges of the scheme’s users, singers could easily share their signing keys with others without being held accountable since PBS does not have a tracing capability, and a signing policy key defines a policy that should be satisfied by the message only. In this work, we build on PBS and propose a traceable policy-based signature scheme (TPBS) where we employ a rerandomizable signature scheme, a digital signature scheme, and a zero-knowledge proof system as its building blocks. TPBS introduces the notion of anonymized identity keys that are used with the policy keys for signing. Thus it achieves traceability without compromising the delegatability feature of the PBS scheme. Additionally, TPBS ensures non-frameability under the assumption of a corrupted tracing authority. We define and formally prove the security notions of the generic TPBS scheme. Finally, we propose an instantiation of TPBS utilizing the Pointcheval Sanders rerandomizable signature scheme, Abe et al.’s structure-preserving signature scheme, and Groth-Sahai NIZK system, and analyze its efficiency
Security Trade-offs in Cyber Physical Systems: A Case Study Survey on Implantable Medical Devices
The new culture of networked systems that offer everywhere accessible services has given rise to various types of security trade-offs. In fact, with the evolution of physical systems that keep getting integrated with cyber frameworks, cyber threats have far more critical effects as they get reflected on the physical environment. As a result, the issue of security of cyber physical systems requires a special holistic treatment. In this paper, we study the trade-off between security, safety and availability in such systems and demonstrate these concepts on implantable medical devices as a case study. We discuss the challenges and constraints associated with securing such systems and focus on the trade-off between security measures required for blocking unauthorized access to the device, and the safety of the patient in emergency situations where such measures must be dropped to allow access. We analyze the up to date proposed solutions and discuss their strengths and limitations
Integral Distinguishers for Reduced-round Stribog
In January 2013, the Stribog hash function officially replaced GOST R 34.11-94 as the new Russian cryptographic hash standard GOST R 34.11-2012. Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3 selected by NIST. In this paper we investigate the structural integral properties of reduced version of the Stribog compression function and its internal permutation. Specifically, we present a forward and backward higher order integrals that can be used to distinguish 4 and 3.5 rounds, respectively. Moreover, using the start from the middle approach, we combine the two proposed integrals to get 6.5-round and 7.5-round distinguishers for the internal permutation and 6-round and 7-round distinguishers for the compression function
Watch your Constants: Malicious Streebog
In August 2012, the Streebog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). In this paper, we investigate the new standard in the context of malicious hashing and present a practical collision for a malicious version of the full hash function. In particular, we apply the rebound attack to find three solutions for three different differential paths for four rounds, and using the freedom of the round constants we connect them to obtain a collision for the twelve rounds of the compression function. Additionally, and due to the simple processing of the counter, we bypass the barrier of the checksum finalization step and transfer the compression function collision to the hash function output with no additional cost. The presented attack has a practical complexity and is verified by an example. While the results of this paper may not have a direct impact on the security of the current Streebog hash function, it presents an urge for the designers to publish the origin of the used parameters and the rational behind their choices in order for this function to gain enough confidence and wide spread adoption by the security community
A Meet in the Middle Attack on Reduced Round Kuznyechik
Kuznyechik is an SPN block cipher that has been recently chosen to be standardized by the Russian federation as a new GOST cipher. The algorithm updates a 128-bit state for nine rounds using a 256-bit key. In this paper, we present a meet-in-the-middle attack on the 5-round reduced cipher. Our attack is based on the differential enumeration approach, where we propose a distinguisher for the middle rounds and match a sequence of state differences at its output. However, the application of the exact approach is not successful on Kuznyechik due to its optimal round diffusion properties. Accordingly, we adopt an equivalent representation for the last round where we can efficiently filter ciphertext pairs and launch the attack in the chosen ciphertext setting. We also utilize partial sequence matching which further reduces the memory and time complexities through relaxing the error probability. The adopted partial sequence matching approach enables successful key recovery by
matching parts of the generated sequence instead of the full sequence
matching used in the traditional settings of this attack. For the 5-round reduced cipher, the 256-bit master key is recovered with a time complexity of 2^{140.3}, a memory complexity of 2^{153.3}, and a data complexity of 2^{113}
Security Analysis Of DGM and GM Group Signature Schemes Instantiated With XMSS-T
Group Merkle (GM) (PQCrypto 2018) and Dynamic Group Merkle (DGM) (ESORICS 2019) are recent proposals for post-quantum hash-based group signature schemes. They are designed as generic constructions that employ any stateful Merkle hash-based signature scheme. XMSS-T (PKC 2016, RFC8391) is the latest stateful Merkle hash-based signature scheme where (almost) optimal parameters are provided. In this paper, we show that the setup phase of both GM and DGM does not enable drop-in instantiation by XMSS-T which limits both designs in employing earlier XMSS versions with sub-optimal parameters which negatively
affects the performance of both schemes. Thus, we provide a tweak to the setup phase of GM and DGM to overcome this limitation and enable the adoption of XMSS-T. Moreover, we analyze the bit security of DGM when instantiated with XMSS-T and show that it is susceptible to multi-target attacks because of the parallel Signing Merkle Trees (SMT) approach. More precisely, when DGM is used to sign 264 messages, its bit security is 44 bits less than that of XMSS-T. Finally, we provide a DGM variant that mitigates multi-target attacks and show that it attains the same bit security as XMSS-T
GMMT: A Revocable Group Merkle Multi-Tree Signature Scheme
G-Merkle (GM) (PQCrypto 2018) is the first hash-based group signature scheme where it was stated that multi-tree approaches are not applicable, thus limiting the maximum number of supported signatures to . DGM (ESORICS 2019) is a dynamic and revocable GM-based group signature scheme that utilizes a computationally expensive puncturable encryption for revocation and requires interaction between verfiers and the group manager for signature verification. In this paper, we propose GMMT, a hash-based group signature scheme that provides solutions to the aforementioned challenges of the two schemes. GMMT builds on GM and adopts a multi-tree construction that constructs new GM trees for new signing leaves assignment while keeping the group public key unchanged. Compared to a single GM instance which enables signature, GMMT allows growing the multi-tree structure adaptively to support signatures under the same public key. Moreover, GMMT has a revocation mechanism that attains linkable anonymity of revoked signatures and has a logarithmic verfication computational complexity compared to the linear complexity of DGM. The group manager in GMMT requires storage that is linear in the number of members while the corresponding storage in DGM is linear in the number of signatures supported by the system. Concretely, for a system that supports signatures with members and provides 256-bit security, the required storage of the group manager is 1 MB (resp. TB) in GMMT(resp. DGM)
Veri
SPHINCS+ is a stateless hash-based digital signature scheme and an alternate candidate in round 3 of the NIST Post-
Quantum Cryptography standardization competition. Although not considered as a
finalist because of its performance, SPHINCS+ may be considered for standardization by NIST after another round of evaluations. In this paper, we propose a Verfi
able Obtained Random Subsets (v-ORS) generation mechanism which with one extra hash computation binds the message with the signing FORS instance (the underlying few-time signature algorithm). This enables SPHINCS+ to off
er more security against generic attacks because the proposed modi
cation restricts the ORS generation to use a hash key from the utilized signing FORS instance. Consequently, such a modi
cation enables the exploration of di
erent parameter sets for FORS to achieve better performance at the same security level. For instance, when using v-ORS, one parameter set for SPHINCS+-256s provides 82.9% reduction in the computation cost of FORS which leads to around 27% reduction in the number of hash calls of the signing procedure. Given that NIST has identfi
ed the performance of SPHINCS+ as its main
drawback, these results are a step forward in the path to standardization