Linearization and Message Modification Techniques for Hash Function Cryptanalysis
|
|
- George Gibbs
- 5 years ago
- Views:
Transcription
1 Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification Techniques 1 / 25
2 Overview Introduction Linearization and Message Modifications Application to ARIRANG Conclusions Jian Guo Linearization and Message Modification Techniques 2 / 25
3 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Jian Guo Linearization and Message Modification Techniques 3 / 25
4 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Jian Guo Linearization and Message Modification Techniques 3 / 25
5 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Preimage Resistance: given a digest t, it is computationally difficult to find x, such that h(x) = t with expected complexity 2 n. Jian Guo Linearization and Message Modification Techniques 3 / 25
6 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Preimage Resistance: given a digest t, it is computationally difficult to find x, such that h(x) = t with expected complexity 2 n. Second Preimage Resistance: given a message x, it is computationally difficult to find x x, such that h(x) = h(x ) with expected complexity 2 n k. Jian Guo Linearization and Message Modification Techniques 3 / 25
7 Merkle-Damgård Strengthening by Merkle and Damgård in 1989, with proof for collision resistance reduction, i.e., if the compression function f is collision resistant, then the hash function. Jian Guo Linearization and Message Modification Techniques 4 / 25
8 Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Jian Guo Linearization and Message Modification Techniques 5 / 25
9 Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Compression Function Collisions free-start collision: f(cv, m) = f(cv, m ). semi-free-start collision: f(cv, m) = f(cv, m ). Jian Guo Linearization and Message Modification Techniques 5 / 25
10 Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Compression Function Collisions free-start collision: f(cv, m) = f(cv, m ). semi-free-start collision: f(cv, m) = f(cv, m ). Note: collisions of compression function do not necessarily, and in most of the cases do not, lead to collisions of hash directly. However, it breaks the assumption of the collision proof, hence weakens the confidence on the hash securities. Jian Guo Linearization and Message Modification Techniques 5 / 25
11 Linearization Jian Guo Linearization and Message Modification Techniques 6 / 25
12 XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. Jian Guo Linearization and Message Modification Techniques / 25
13 XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. when g(x) = x r (r is a rotation constant), then g( ) = (x r) (x r) = (x x ) r = r. Jian Guo Linearization and Message Modification Techniques / 25
14 XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. when g(x) = x r (r is a rotation constant), then g( ) = (x r) (x r) = (x x ) r = r. However, when g(x) = x + C (C is a constant), g( ) = (x + C) (x + C), which is not for some cases. Jian Guo Linearization and Message Modification Techniques / 25
15 XOR Differences and Addition Modulo 2 8 Consider g(x) = x + C with the simplest case, i.e., x = 0, x = 1, hence = 1 C g(x) g(x ) g( ) Prob Jian Guo Linearization and Message Modification Techniques 8 / 25
16 XOR Differences and Addition Modulo 2 8 Consider g(x) = x + C with the simplest case, i.e., x = 0, x = 1, hence = 1 C g(x) g(x ) g( ) Prob Linearization Approximate the behaviour of addition, w.r.t. XOR differences, as XOR with probability 2. Jian Guo Linearization and Message Modification Techniques 8 / 25
17 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Jian Guo Linearization and Message Modification Techniques 9 / 25
18 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Jian Guo Linearization and Message Modification Techniques 9 / 25
19 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Rotation Invariant Differences is called rotation invariant w.r.t r, if r =. E.g., is rotation invariant w.r.t. r = 4 with k = 8. Jian Guo Linearization and Message Modification Techniques 9 / 25
20 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Rotation Invariant Differences is called rotation invariant w.r.t r, if r =. E.g., is rotation invariant w.r.t. r = 4 with k = 8. ALL-ONE difference ( ) is rotation invariant w.r.t. any r, k. Jian Guo Linearization and Message Modification Techniques 9 / 25
21 ARIRANG Jian Guo Linearization and Message Modification Techniques 10 / 25
22 SHA-3 candidate ARIRANG One of the first round SHA-3 candidates Designed by a team from Center for Information Security Technologies (CIST), Korea University: Donghoon Chang, Seokhie Hong, Changheon Kang, Jinkeon Kang, Jongsung Kim, Changhoon Lee, Jesang Lee, Jongtae Lee, Sangjin Lee, Yuseop Lee, Jongin Lim, Jaechul Sung Design mixing parts from AES-based (S-box, MixColumn) and ARX designs (word addition, rotations, xor) Follows Merkle-Damgård strengthening Jian Guo Linearization and Message Modification Techniques 11 / 25
23 Hash function M pad(m) 10 0 len M 1 M 2 M N 1 M N H 0 h(m) Ctr 1 Ctr 2 Ctr N 1 Ctr N Jian Guo Linearization and Message Modification Techniques 12 / 25
24 Compression function H M step 1 step 2 W σ(0), W σ(1) W σ(2), W σ(3) message expansion step 20 W σ(38), W σ(39) step 21 step 22 W σ(40), W σ(41) W σ(42), W σ(43) step 40 W σ(8), W σ(9) Jian Guo Linearization and Message Modification Techniques / 25
25 Message expansion 1 Generate 16 more words as linear combinations of M 0,...,M 15 2 Pick (with repetitions) 80 words out of the 32 words obtained in the previous step M 0,..., M 15 W 16 (M 9 M 11 M M 15 K 0 ) r 0 W 1 (M 8 M 10 M 12 M 14 K 1 ) r 1 W 18 (M 1 M 3 M 5 M K 2 ) r 2 W 19 (M 0 M 2 M 4 M 6 K 3 ) r 3 W 20 (M 14 M 4 M 10 M 0 K 4 ) r 0 W 21 (M 11 M 1 M M K 5 ) r 1 W 22 (M 6 M 12 M 2 M 8 K 6 ) r 2 W (M 3 M 9 M 15 M 5 K ) r 3 W 24 (M M 15 M 1 M 3 K 8 ) r 0 W 25 (M 4 M 6 M 8 M 10 K 9 ) r 1 W 26 (M 5 M M 9 M 11 K 10 ) r 2 W 2 (M 12 M 14 M 0 M 2 K 11 ) r 3 W 28 (M 10 M 0 M 6 M 12 K 12 ) r 0 W (M 15 M 5 M 11 M 1 K ) r 1 W 30 (M 2 M 8 M 14 M 4 K 14 ) r 2 W 31 (M M M 3 M 9 K 15 ) r 3 σ(i) σ(i) 16, 1 24, 25 0, 1 12, 5 2, 3 14, 4, 5 0, 9 6, 2, 11 18, 19 26, 2 8, 9 4, 10, 11 6, 15 12, 8, 1 14, 15 10, 3 20,21 28, 3, 6, 2 9,12, 8 15, 2 3, 14 5, 8 9, 4 22, 30, 31 11,14 15, 10 1, 4 5, 0,10 11, 6, 0 1, 12 Jian Guo Linearization and Message Modification Techniques 14 / 25
26 Step transformation transforms 8 32-bit words of the state and 8 words of the expanded message to new state uses 32-bit rotations, XORs and a bit function G 256 only non-linear (over F 2 ) part is G 256 A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 15 / 25
27 Function G 256 S S S S MDS composite megabox : 4 bytewise AES S-boxes Followed by MDS 4 4 transformation (AES MixColumn) ARIRANG-512 uses a similar function G 512 defined on bit words and using MDS 8 8. Jian Guo Linearization and Message Modification Techniques 16 / 25
28 Basic observations MDS 4 4 has fixed points of the form (a, a, a, a) MDS 4 4 = z z z z z z + 1 z z S-box differential 0xff 0xff is possible with prob. 2. Differential 0xffffffff 0xffffffff for G 256 has probability bit variant: no fixed points for MDS, but still can get all-ones to all-ones differences Jian Guo Linearization and Message Modification Techniques 1 / 25
29 All-one differences If we consider only all-one differences: A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25
30 All-one differences If we consider only all-one differences: rotations in step function do not play any role A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25
31 All-one differences If we consider only all-one differences: rotations in step function do not play any role A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25
32 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25
33 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25
34 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. One register can be represented as a single bit (truncated differential) A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25
35 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. One register can be represented as a single bit (truncated differential) Linearized model has variables: we have 2 24 paths A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25
36 Satisfying conditions To eliminate probabilistic behaviour, we want to set inputs of active G 256 to good values. We have full control over words W 0,..., W 15 Through linear combinations, we have some control over words W 16,...,W 31 For semi-free-start collisions and pseudo-collisions, we additionally have control over initial values IV 0,..., IV Jian Guo Linearization and Message Modification Techniques 19 / 25
37 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25
38 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25
39 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25
40 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25
41 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25
42 Satisfying conditions If we can use initial values, conditions in steps 1 4 are always possible Depending on the number of active G, usually we can correct around steps Might be possible to correct 20 steps in some cases Jian Guo Linearization and Message Modification Techniques 21 / 25
43 Pseudo-collision path: steps 1 5 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 11, 0 W W, W 16 W 1 W 8, W 10, 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 22 / 25
44 Pseudo-collision path: steps 6 10 A B 5 C 5 D 5 E 5 F 5 G 5 H W 5 1, W 3, 5 W W 5, W 18 W 19 W 0, W 2, W 4, W 6 A 6 B 6 C 6 D 6 E 6 F 6 G 6 H 6 W 8 W 9 A B C D E F G H W 10 W 11 A 8 B 8 C 8 D 8 E 8 F 8 G 8 H 8 W 12 W A 9 B 9 C 9 D 9 E 9 F 9 G 9 H 9 W 14 W 15 Jian Guo Linearization and Message Modification Techniques 22 / 25
45 Pseudo-collision path: steps A B 10 C 10 D 10 E 10 F 10 G 10 H W 10 14, W 4, 10 W W 10, W 20 W 21 W 11, W 1, 0 W, W A 11 B 11 C 11 D 11 E 11 F 11 G 11 H 11 W 3 W 6 A 12 B 12 C 12 D 12 E 12 F 12 G 12 H 12 W 9 W 12 A B C D E F G H W 15 W 2 A 14 B 14 C 14 D 14 E 14 F 14 G 14 H 14 W 5 W 8 Jian Guo Linearization and Message Modification Techniques 22 / 25
46 Pseudo-collision path: steps A B 15 C 15 D 15 E 15 F 15 G 15 H W 15 6, W 12, 15 W W 2, W 22 W W 3, W 9, 8 W 15, W 5 A 16 B 16 C 16 D 16 E 16 F 16 G 16 H 16 W 11 W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 1 W 4 A 18 B 18 C 18 D 18 E 18 F 18 G 18 H 18 W W 10 A 19 B 19 C 19 D 19 E 19 F 19 G 19 H 19 W W 0 H 1 H 2 H 3 H 4 H 5 H 6 H Jian Guo Linearization and Message Modification Techniques 22 / 25
47 Pseudo-collisions for ARIRANG-224/384 IV M step 1 step 2 step 20 step 21 step 22 step 40 message expansion single message block can use 14 message words, last two for padding message corrections: 12 active G 256 in steps 2 18, complexity 2 register H discarded for ARIRANG-224/384 pseudo-collision for the complete hash function Jian Guo Linearization and Message Modification Techniques / 25
48 Summary of results Compression function Result Complexity Example 32-bit near-collision for full ARIRANG-256 compress 1 Y 64-bit near-collision for full ARIRANG-512 compress 1 Y 26-step (out of 40) collision for ARIRANG-256/512 1 Y Hash function Result Complexity Example pseudo-collision for full ARIRANG-224/384 hash 2 / 1 Y Jian Guo Linearization and Message Modification Techniques 24 / 25
49 Conclusions A brief introduction on linearization and message modification techniques have been introduced, with example of applications to ARIRANG. Jian Guo Linearization and Message Modification Techniques 25 / 25
50 Conclusions A brief introduction on linearization and message modification techniques have been introduced, with example of applications to ARIRANG. Thanks for your attention! Jian Guo Linearization and Message Modification Techniques 25 / 25
Preimage Attack on ARIRANG
Preimage Attack on ARIRANG Deukjo Hong, Woo-Hwan Kim, Bonwook Koo The Attached Institute of ETRI, P.O.Box 1, Yuseong, Daejeon, 305-600, Korea {hongdj,whkim5,bwkoo}@ensec.re.kr Abstract. The hash function
More informationARIRANG. Designed by CIST ARIRANG. Designed by CIST. Algorithm Name : ARIRANG
ARIRANG Algorithm Name : ARIRANG Principal Submitter : Jongin Lim Tel : +82 2 3290 4044 Fax : +82 2 928 9109 Email : jilim@korea.ac.kr Organization : Korea Univ. Postal address : Center for Information
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationPractical pseudo-collisions for hash functions ARIRANG-224/384
Practical pseudo-collisions for hash functions ARIRANG-224/384 Jian Guo 1, Krystian Matusiewicz 2, Lars R. Knudsen 2, San Ling 1, and Huaxiong Wang 1 1 School of Physical and Mathematical Sciences, Nanyang
More informationPractical pseudo-collisions for hash functions ARIRANG-224/384
Practical pseudo-collisions for hash functions ARIRANG-224/384 Jian Guo 1, Krystian Matusiewicz 2, Lars R. Knudsen 2, San Ling 1, and Huaxiong Wang 1 1 School of Physical and Mathematical Sciences, Nanyang
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationFull-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98
Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98 Donghoon Chang 1, Jaechul Sung 2, Soohak Sung 3,SangjinLee 1,and Jongin Lim 1 1 Center for Information Security
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationPractical Free-Start Collision Attacks on full SHA-1
Practical Free-Start Collision Attacks on full SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens Séminaire Cryptologie
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationIntroduction Description of MD5. Message Modification Generate Messages Summary
How to Break MD5 and other hash functions Xiaoyun Wang and Hongbo Yu (China) Presented by: Saar Benodiz May 2012 Outline Introduction Description of MD5 Differential Attack for Hash Functions Message Modification
More informationPractical Free-Start Collision Attacks on 76-step SHA-1
Practical Free-Start Collision Attacks on 76-step SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens CWI, Amsterdam 2015
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationNew Preimage Attacks Against Reduced SHA-1
New Preimage Attacks Against Reduced SHA-1 Simon Knellwolf 1 and Dmitry Khovratovich 2 1 ETH Zurich and FHNW, Switzerland 2 Microsoft Research Redmond, USA Abstract. This paper shows preimage attacks against
More informationThe Hash Function Fugue
The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationPreimages for Step-Reduced SHA-2
Preimages for Step-Reduced SHA-2 Jian Guo 1 and Krystian Matusiewicz 2 1 Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore guojian@ntu.edu.sg
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationPreimage Attacks on 3, 4, and 5-pass HAVAL
Preimage Attacks on 3, 4, and 5-pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationPseudo-cryptanalysis of the Original Blue Midnight Wish
Pseudo-cryptanalysis of the Original Blue Midnight Wish Søren S. Thomsen DTU Mathematics, Technical University of Denmark September 28, 2009 Abstract The hash function Blue Midnight Wish (BMW) is a candidate
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationImproved Collision Attack on MD5
Improved Collision Attack on MD5 Yu Sasaki* Yusuke Naito* Noboru Kunihiro* Kazuo Ohta* *The University of Electro-Communications, Japan { yu339, tolucky } @ice.uec.ac.jp Abstract In EUROCRYPT2005, a collision
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationCollapsing sponges: Post-quantum security of the sponge construction
Collapsing sponges: Post-quantum security of the sponge construction Dominique Unruh University of Tartu March 27, 2017 Abstract We investigate the post-quantum security of hash functions based on the
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationNanyang Technological University, Singapore École normale supérieure de Rennes, France
Analysis of BLAKE2 Jian Guo Pierre Karpman Ivica Nikolić Lei Wang Shuang Wu Nanyang Technological University, Singapore École normale supérieure de Rennes, France The Cryptographer s Track at the RSA Conference,
More informationNew Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafael Chen New Techniques for Cryptanalysis of Cryptographic Hash Functions Research Thesis Submitted in partial fulfillment of the requirements
More informationAn Improved Fast and Secure Hash Algorithm
Journal of Information Processing Systems, Vol.8, No.1, March 2012 http://dx.doi.org/10.3745/jips.2012.8.1.119 An Improved Fast and Secure Hash Algorithm Siddharth Agarwal*, Abhinav Rungta*, R.Padmavathy*,
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationCryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway
Cryptographic Hash Function BLUE MIDNIGHT WISH Norwegian University of Science and Technology Trondheim, Norway Danilo Gligoroski Vlastimil Klima Svein Johan Knapskog Mohamed El-Hadedy Jørn Amundsen Stig
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationDeterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family
Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family Somitra Kr. Sanadhya and Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute, Kolkata
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationA (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationDomain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration
Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 203, B.T. Road,
More informationA Study of the MD5 Attacks: Insights and Improvements
A Study of the MD5 Attacks: Insights and Improvements John Black 1 and Martin Cochran 1 and Trevor Highland 2 1 University of Colorado at Boulder, USA www.cs.colorado.edu/ jrblack, ucsu.colorado.edu/ cochranm
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationThe PHOTON Family of Lightweight Hash Functions
The PHOTON Family of Lightweight Hash Functions Jian Guo 1, Thomas Peyrin 2, and Axel Poschmann 2 1 Institute for Infocomm Research, Singapore 2 Nanyang Technological University, Singapore {ntu.guo,thomas.peyrin}@gmail.com,
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More information