Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function
|
|
- Victor Beasley
- 5 years ago
- Views:
Transcription
1 Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology February 24, SIAM Conference on Parallel Processing for Scientific Computing Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 1 / 34
2 Outline 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 2 / 34
3 Cube Test Cube Test Published by Aumasson et al. in 2009 [1] Variation of the cube attack published by Dinur and Shamir in 2009 [2] Probes the polynomial structure of a black box cryptographic primitive Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 3 / 34
4 Cube Test Cryptographic Primitive Block cipher Stream cipher Hash function Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 4 / 34
5 Cube Test Crypto Primitive as Boolean Function Cube inputs c 1, c 2,..., c C Superpoly inputs s 1, s 2,..., s S Output = F(c 1, c 2,..., c C, s 1, s 2,..., s S ) Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 5 / 34
6 Superpoly Cube Test Output F is expressed as a polynomial in GF(2) Factor F as follows: F = c 1 c 2 c C Q(s 1,..., s S ) + R(c 1,..., c C, s 1,..., s S ) Q = Superpoly of F w.r.t. cube inputs c 1,..., c C R = Remainder Q and R also are polynomials in GF(2) Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 6 / 34
7 Cube Test Superpoly Calculation Theorem (Dinur & Shamir [2]) Proof. Q(s 1, s 2,..., s S ) = c 1 c 2...c C = F (c 1, c 2,..., c C, s 1, s 2,..., s S ). In the summation over the 2 C combinations of c 1 c 2... c C, each term in R is added in an even number of times, since no term in R contains all of c 1 c 2... c C. Therefore, in GF(2) arithmetic, the terms in R sum up to 0. The terms in Q, however, are added in only once, when c 1 c 2... c C = Therefore, the summation yields just Q. Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 7 / 34
8 Cube Test Superpoly Calculation Procedure To compute Q(s 1, s 2,..., s S ): Set unused inputs of F to 0 Set superpoly inputs of F to s 1, s 2,..., s S Q 0 For each combination of c 1, c 2,..., c C from to : Q Q F(c 1, c 2,..., c C, s 1, s 2,..., s S ) We can calculate Q without even knowing the formula for Q, treating F solely as a black box! To calculate Q takes 2 C iterations! But it s massively parallel! Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 8 / 34
9 Cube Test Multiple Simultaneous Superpolys The cryptographic primitive calculates multiple Boolean functions F 1, F 2,..., F N simultaneously And thus multiple superpolys Q 1, Q 2,..., Q N Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 9 / 34
10 Superpoly Tests Cube Test Now that we can calculate Q i, we can do tests on Q i In cryptography, Q i should be a random polynomial If it isn t, the cryptographic primitive is weak Calculate Q i for: A randomly chosen set of C cube inputs A randomly chosen set of S superpoly inputs A random sample of superpoly input values Do statistical tests on the Q i values under the null hypothesis that Q i is a random polynomial Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 10 / 34
11 Outline CubeHash 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 11 / 34
12 CubeHash CubeHash One-way hash function invented by Daniel Bernstein [3] Candidate submitted to the NIST SHA-3 competition [4] Parameters: r = 16, number of mixing rounds per message block b = 32, message block size (bytes) h = 224, 256, 384, or 512, hash value size (bits) Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 12 / 34
13 CubeHash CubeHash Algorithm Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 13 / 34
14 CubeHash CubeHash Round Function Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 14 / 34
15 CubeHash For This Investigation Primitive: CubeHash16 32/512 Input: 248 bits (31 bytes) Output: 512 bits Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 15 / 34
16 Outline Parallel Cube Tests on CubeHash 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 16 / 34
17 Parallel Cube Tests on CubeHash CubeTest Program Arguments: C = Number of cube variables S = Number of superpoly variables N = Number of random samples Procedure: Choose C inputs at random to be cube variables c 1,..., c C Choose S inputs at random to be superpoly variables s 1,..., s S For i = 1 to N: Choose values at random for s 1,..., s S without replacement Calculate Q 1 (s 1,..., s S ) through Q 512 (s 1,..., s S ) Store s 1,..., s S and Q 1,..., Q 512 in output file Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 17 / 34
18 Parallel Cube Tests on CubeHash Hybrid SMP Cluster Parallel Program Design Partition s 1,..., s S samples among cluster nodes Partition c 1,..., c C values among node s CPUs and calculate F Shared memory parallel reduction of F values to calculate Q Gather Q values into one node and write output file Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 18 / 34
19 Parallel Cube Tests on CubeHash Parallel Program Execution Coded in Java using the Parallel Java Library [5, 6] Run on the tardis hybrid SMP cluster parallel computer Ten nodes, four 2.6-GHz cores and 8 GB memory per node 1 Gbps Ethernet backend network Run with 2 to 22 cube variables, 2 to 22 superpoly variables, 1,000 samples Time per CubeHash16 32/512 calculation on 40 cores = 337 nsec Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 19 / 34
20 Outline Statistical Tests 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 20 / 34
21 Statistical Tests Balance Test of One Superpoly Null hypothesis: Q i is 0 or 1 with equal probability Chi-square test procedure: Choose N = 100 samples at random from output file n 0 = Count of 0s n 1 = Count of 1s N 0 = Expected count of 0s = 0.5 N N 1 = Expected count of 1s = 0.5 N Compute χ 2 and p-value (χ 2 distribution with 1 d.o.f.) If p significance = 0.01, test fails χ 2 = (n 0 N 0 ) 2 N 0 + (n 1 N 1 ) 2 N 1 Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 21 / 34
22 Statistical Tests Balance Test of All Superpolys Null hypothesis: Each superpoly s balance test passes with probability 0.99 and fails with probability 0.01 Chi-square test procedure: Choose N = 100 balance test results at random n p = Number of passed tests n f = Number of failed tests N p = Expected number of passed tests = 0.99 N N f = Expected number of failed tests = 0.01 N Compute χ 2 and p-value (χ 2 distribution with 1 d.o.f.) χ 2 = (n p N p ) 2 N p + (n f N f ) 2 N f Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 22 / 34
23 Statistical Tests Balance Test Results, One Run java Analyze BalanceAnalyzer ch_16_16_101.dat File date = Thu Feb 18 05:38:00 EST 2010 Target = CubeHashTarget(16,32,512) C = 16 S = 16 Seed = Cube variables = Superpoly variables = N = 512 Bit 0 1 chi^2 p *** *** *** *** *** *** *** *** *** Sample pass 96 Sample fail 4 Chi^ P Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 23 / 34
24 Statistical Tests Balance Test Results, All Runs S C Pass Fail Chi^2 P Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 24 / 34
25 Statistical Tests Balance Test Results, All Runs CubeHash16/ Balance Test Number of cube variables, C Number of superpoly variables, S Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 25 / 34
26 Statistical Tests Input/Output Independence Test Null hypothesis: Q i is 0 or 1 with equal probability whether s j is 0 or 1 Chi-square test procedure: Choose N = 100 samples at random from output file n 0 = Count of Q i 0, s j 0 N 0 = 0.5 (n 0 + n 2 ) n 1 = Count of Q i 0, s j 1 N 1 = 0.5 (n 1 + n 3 ) n 2 = Count of Q i 1, s j 0 N 2 = 0.5 (n 0 + n 2 ) n 3 = Count of Q i 1, s j 1 N 3 = 0.5 (n 1 + n 3 ) Compute χ 2 and p-value (χ 2 distribution with 2 d.o.f.) If p significance = 0.01, test fails χ 2 = 4 (n k N k ) 2 k=1 N k Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 26 / 34
27 Statistical Tests Input/Output Independence Test Results CubeHash16/ Input/Output Independence Test Number of cube variables, C Number of superpoly variables, S Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 27 / 34
28 Statistical Tests Output/Output Independence Test Null hypothesis: Q i is 0 or 1 independently of whether Q j is 0 or 1 Chi-square test procedure: Choose N = 100 samples at random from output file n 0 = Count of Q i 0, Q j 0 N 0 = 0.25 N n 1 = Count of Q i 0, Q j 1 N 1 = 0.25 N n 2 = Count of Q i 1, Q j 0 N 2 = 0.25 N n 3 = Count of Q i 1, Q j 1 N 3 = 0.25 N Compute χ 2 and p-value (χ 2 distribution with 3 d.o.f.) If p significance = 0.01, test fails χ 2 = 4 (n k N k ) 2 k=1 N k Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 28 / 34
29 Statistical Tests Output/Output Independence Test Results CubeHash16/ Output/Output Independence Test Number of cube variables, C Number of superpoly variables, S Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 29 / 34
30 Outline Conclusions 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 30 / 34
31 Conclusions Conclusions Overall, the statistical test results were as expected for a significance level of 0.01 The statistical tests did not reveal nonrandom behavior of CubeHash CubeHash is still a viable SHA-3 candidate Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 31 / 34
32 Future Work Conclusions Test larger numbers of cube variables and superpoly variables Perform additional statistical tests Linear superpoly variables Neutral superpoly variables Test other SHA-3 candidate hash functions Port the cube testing framework to the GPU Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 32 / 34
33 References Conclusions [1] J. Aumasson, I. Dinur, W. Meier, and A. Shamir. Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In Fast Software Encryption, [2] I. Dinur and A. Shamir. Cube attacks on tweakable black box polynomials. Cryptology eprint Archive Report 2008/385, January 26, [3] D. Bernstein. CubeHash specification (2.B.1). [4] NIST Cryptographic Hash Algorithm Competition. [5] A. Kaminsky. Parallel Java: A unified API for shared memory and cluster parallel programming in 100% Java. In 21st IEEE International Parallel and Distributed Processing Symposium (IPDPS 2007), [6] A. Kaminsky. Parallel Java Library. Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 33 / 34
34 Contact Information Conclusions Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology 102 Lomb Memorial Drive Rochester, NY Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 34 / 34
Cube Test Analysis of the Statistical Behavior of CubeHash and Skein
Cube Test Analysis of the Statistical Behavior of CubeHash and Skein Alan Kaminsky May, 0 Abstract This work analyzes the statistical properties of the SHA- candidate cryptographic hash algorithms CubeHash
More informationCube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08: Shamir presents cube attacks
More informationSearching Cubes for Testing Boolean Functions and Its Application to Trivium
Searching Cubes for Testing Boolean Functions and Its Application to Trivium Meicheng Liu, Dongdai Lin and Wenhao Wang State Key Laboratory of Information Security Institute of Information Engineering
More informationLinear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION
Malaysian Journal of Mathematical Sciences 9(S) June: 139-156 (015) Special ssue: The 4 th nternational Cryptology and nformation Security Conference 014 (Cryptology 014) MALAYSAN JOURNAL OF MATHEMATCAL
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationCube attack in finite fields of higher order
Cube attack in finite fields of higher order Andrea Agnesse 1 Marco Pedicini 2 1 Dipartimento di Matematica, Università Roma Tre Largo San Leonardo Murialdo 1, Rome, Italy 2 Istituto per le Applicazioni
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationAnother View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis
Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis Bo Zhu 1, Guang Gong 1, Xuejia Lai 2 and Kefei Chen 2 1 Department of Electrical and Computer Engineering, University
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationQuantum Preimage and Collision Attacks on CubeHash
Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, Gaetan.Leurent@uni.lu Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationCube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium
Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium Jean-Philippe Aumasson 1, Itai Dinur 2, Willi Meier 1, and Adi Shamir 2 1 FHNW, Windisch, Switzerland 2 Computer Science Department,
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationSome Randomness Experiments on TRIVIUM
1 Some Randomness Experiments on TRIVIUM Technical Report No. ASU/2014/3 Dated : 14 th March, 2014 Subhabrata Samajder Applied Statistics Unit Indian Statistical Institute 203, B. T. Road, Kolkata 700108,
More informationNew Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)
New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract) Anubhab Baksi 1, Subhamoy Maitra 1, Santanu Sarkar 2 1 Indian Statistical Institute, 203 B. T. Road, Kolkata
More informationImproved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version) Qingju Wang 1,2,3, Yonglin Hao 4, Yosuke Todo 5, Chaoyun Li 6, Takanori Isobe 7, and Willi Meier
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationCorrelation Cube Attacks: From Weak-Key Distinguisher to Key Recovery
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu, Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering,
More informationCube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson 1,,ItaiDinur 2, Willi Meier 1,, and Adi Shamir 2 1 FHNW, Windisch, Switzerland 2 Computer Science Department,
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationSome Randomness Experiments on TRIVIUM
Some Randomness Experiments on TRIVIUM Subhabrata Samajder and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T.Road, Kolkata, India - 700108. {subhabrata r,palash}@isical.ac.in
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationNew Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers
New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers Shahram Khazaei 1 and Willi Meier 2 1 EPFL, Lausanne, Switzerland 2 FHNW, Windisch, Switzerland Abstract. In cryptology we commonly
More informationComparison of cube attacks over different vector spaces
Comparison of cube attacks over different vector spaces Richard Winter 1, Ana Salagean 1, and Raphael C.-W. Phan 2 1 Department of Computer Science, Loughborough University, Loughborough, UK {R.Winter,
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationAlgebraic analysis of Trivium-like ciphers (Poster)
Algebraic analysis of Trivium-like ciphers (Poster) Sui-Guan Teo 1 Kenneth Koon-Ho Wong 1 Harry Bartlett 2 Leonie Simpson 2 Ed Dawson 1 1 Institute for Future Environments 2 Science and Engineering Faculty
More informationIntroduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results
The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange Labs CHE 2011 Nara, Japan Outline Introduction The LED Round Function Minimalism for ey chedule ecurity
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, and Guang Gong Department of Electrical and Computer Engineering, University of Waterloo, Waterloo,
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationCryptanalysis of 1-Round KECCAK
Cryptanalysis of 1-Round KECCAK Rajendra Kumar 1,Mahesh Sreekumar Rajasree 1 and Hoda AlKhzaimi 2 1 Center for Cybersecurity, Indian Institute of Technology Kanpur, India rjndr@iitk.ac.in, mahesr@iitk.ac.in
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationPractical Free-Start Collision Attacks on full SHA-1
Practical Free-Start Collision Attacks on full SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens Séminaire Cryptologie
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationA new version of the RC6 algorithm, stronger against χ 2 cryptanalysis
A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis Routo Terada 1 Eduardo T. Ueda 2 1 Dept. of Computer Science University of São Paulo, Brazil Email: rt@ime.usp.br 2 Dept. of Computer
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationDeterministic Cube Attacks:
Deterministic Cube Attacks: A New Method to Recover Superpolies in Practice Chen-Dong Ye and Tian Tian National Digital Switching System Engineering & Technological Research Center, P.O. Box 407, 62 Kexue
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationOn ZK-Crypt, Book Stack, and Statistical Tests
On ZK-Crypt, Book Stack, and Statistical Tests S. Doroshenko A. Fionov A. Lubkin V. Monarev B. Ryabko Abstract The algorithms submitted to the ECRYPT Stream Cipher Project (estream) were tested using the
More informationModified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha
Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha Tsukasa Ishiguro KDDI R&D Laboratories Inc. 2-1-15 Ohara, Fujimino, Saitama 356-8502, Japan tsukasa@kddilabs.jp 1
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov 1,2, Dmitry Khovratovich 2, Léo Perrin 2 1 CSC, University of Luxembourg 2 SnT, University of Luxembourg https://www.cryptolux.org
More informationCRYPTOGRAPHIC COMPUTING
CRYPTOGRAPHIC COMPUTING ON GPU Chen Mou Cheng Dept. Electrical Engineering g National Taiwan University January 16, 2009 COLLABORATORS Daniel Bernstein, UIC, USA Tien Ren Chen, Army Tanja Lange, TU Eindhoven,
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationFault Analysis of the KATAN Family of Block Ciphers
Fault Analysis of the KATAN Family of Block Ciphers Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Centre for Computer and Information Security Research,
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationInside the Hypercube
Inside the Hypercube Jean-Philippe Aumasson 1, Eric Brier 3, Willi Meier 1, María Naya-Plasencia 2, and Thomas Peyrin 3 1 FHNW, Windisch, Switzerland 2 INRIA project-team SECRET, France 3 Ingenico, France
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationCryptanalysis of the Dual Elliptic Curve Pseudorandom Generator
Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator Berry Schoenmakers and Andrey Sidorenko Dept. of Mathematics and Computer Science, TU Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands.
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationIntegers and Division
Integers and Division Notations Z: set of integers N : set of natural numbers R: set of real numbers Z + : set of positive integers Some elements of number theory are needed in: Data structures, Random
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationPractical Free-Start Collision Attacks on 76-step SHA-1
Practical Free-Start Collision Attacks on 76-step SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens CWI, Amsterdam 2015
More informationParallel Implementation of Proposed One Way Hash Function
UDC:004.421.032.24:003.26 Parallel Implementation of Proposed One Way Hash Function Berisha A 1 1 University of Prishtina, Faculty of Mathematics and Natural Sciences, Kosovo artan.berisha@uni-pr.edu Abstract:
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationobservations on the simon block cipher family
observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationVMPC One-Way Function and Stream Cipher
VMPC One-Way Function and Stream Cipher Bartosz Zoltak http://www.vmpcfunction.com bzoltak@vmpcfunction.com This paper was presented at FSE 04, Delhi, India, 5-7.FEB.2004 Copyright by IACR Abstract. A
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationA GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS
A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS Guanhan Chew, Khoongming Khoo DSO National Laboratories, 20 Science Park Drive, Singapore 118230 cguanhan,kkhoongm@dso.org.sg
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationImproved Generalized Birthday Attack
Improved Generalized Birthday Attack Paul Kirchner July 11, 2011 Abstract Let r, B and w be positive integers. Let C be a linear code of length Bw and subspace of F r 2. The k-regular-decoding problem
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationDynamic Cube Attack on 105 round Grain v1
Noname manuscript No. (will be inserted by the editor) Dynamic Cube Attack on 105 round Grain v1 Subhadeep Banik Received: date / Accepted: date Abstract As far as the Differential Cryptanalysis of reduced
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationRotational cryptanalysis of round-reduced Keccak
Rotational cryptanalysis of round-reduced Keccak Pawe l Morawiecki 1,3, Josef Pieprzyk 2, and Marian Srebrny 1,3 1 Section of Informatics, University of Commerce, Kielce, Poland pawelm@wsh-kielce.edu.pl
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More information