Quantum rebound attack to D-M structure based on ARIA algorithm

Abstract With the increasing application of quantum computing, quantum technology is increasingly used in the security analysis and research of multiple symmetric cryptographic algorithms such as block ciphers and hash functions. In 2020, Sasaki et al. proposed a dedicated quantum collision attack against hash functions in EUROCRYPT. Some differential trajectories with a probability of 2−2n/3 that cannot be used in the classical environment may be used to launch collision attacks in the quantum environment. The ARIA algorithm is a block cipher proposed by the Korean researcher Kwon et al. on ICISC 2003. The block cipher algorithm is similar to AES in structure. This article mainly analyzes the security of Davies-Meyer structure, and uses AIRA as the permutation function to construct ARIA hash function based on the DM hash model. A new AIRA differential path was found based on MILP, and 7 rounds of ARIA-DM hash function quantum rebound attacks were given.

Download Full-text

SECURITY ANALYSIS BETWEEN STATIC AND DYNAMIC S-BOXES IN BLOCK CIPHERS

Journal of Information System and Technology Management ◽

10.35631/jistm.620002 ◽

2021 ◽

Vol 6 (20) ◽

pp. 10-16

Author(s):

Nur Hafiza Zakaria ◽

Azuan Ahmad ◽

Azni Haslizan Ab Halim ◽

Farida Hazwani Mohd Ridzuan

Keyword(s):

Computer Security ◽

Block Cipher ◽

Security Analysis ◽

Block Ciphers ◽

Statistical Test ◽

Evaluation Tool ◽

Work Related ◽

Security Research ◽

Cryptographic Algorithms ◽

Tool Set

The development of block ciphers has resulted in a number of cryptographic algorithms such as AES, aria, blowfish256, desl, and 3d-aes. AES is one of the best cryptographic algorithms that can be used to protect electronic data. However, the principal weakness in AES is the linearity in the s-box. The objective of this research is to investigate and evaluate the existing work related to the dynamic s-box. Other than that, the aim of this research is to design a dynamic s-box using affine transformation in order to increase the security of the encryption. The method to design is using java with the NetBeans software. The proposed block cipher will be tested using NIST statistical test suite to test the randomness of the algorithm. Besides, the strength of the s-box will be analyzed using the s-box evaluation tool (set). The cryptographic strength depends strongly on the choice of s-box. Therefore, this new proposed block cipher can be used by countries, organizations, stakeholders, or interested parties as one of the secure algorithms to increase the protection of the information and also will contribute as an alternative to other cryptographic algorithms in computer security research.

Download Full-text

New Semi-Free-Start Collision Attack Framework for Reduced RIPEMD-160

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2019.i3.169-192 ◽

2019 ◽

pp. 169-192

Author(s):

Fukang Liu ◽

Christoph Dobraunig ◽

Florian Mendel ◽

Takanori Isobe ◽

Gaoli Wang ◽

...

Keyword(s):

Hash Function ◽

Time Complexity ◽

Hash Functions ◽

Stream Structure ◽

Collision Attack ◽

Time Period ◽

Collision Attacks ◽

Memory Complexity ◽

New Framework

RIPEMD-160 is a hash function published in 1996, which shares similarities with other hash functions designed in this time-period like MD4, MD5 and SHA-1. However, for RIPEMD-160, no (semi-free-start) collision attacks on the full number of steps are known. Hence, it is still used, e.g., to generate Bitcoin addresses together with SHA-256, and is an ISO/IEC standard. Due to its dual-stream structure, even semifree- start collision attacks starting from the first step only reach 36 steps, which were firstly shown by Mendel et al. at Asiacrypt 2013 and later improved by Liu, Mendel and Wang at Asiacrypt 2017. Both of the attacks are based on a similar freedom degree utilization technique as proposed by Landelle and Peyrin at Eurocrypt 2013. However, the best known semi-free-start collision attack on 36 steps of RIPEMD-160 presented at Asiacrypt 2017 still requires 255.1 time and 232 memory. Consequently, a practical semi-free-start collision attack for the first 36 steps of RIPEMD-160 still requires a significant amount of resources. Considering the structure of these previous semi-free-start collision attacks for 36 steps of RIPEMD-160, it seems hard to extend it to more steps. Thus, we develop a different semi-free-start collision attack framework for reduced RIPEMD-160 by carefully investigating the message expansion of RIPEMD-160. Our new framework has several advantages. First of all, it allows to extend the attacks to more steps. Second, the memory complexity of the attacks is negligible. Hence, we were able to mount semi-free-start collision attacks on 36 and 37 steps of RIPEMD-160 with practical time complexity 241 and 249 respectively. Additionally, we describe semi-free-start collision attacks on 38 and 40 (out of 80) steps of RIPEMD-160 with time complexity 252 and 274.6, respectively. To the best of our knowledge, these are the best semi-free-start collision attacks for RIPEMD-160 starting from the first step with respect to the number of steps, including the first practical colliding message pairs for 36 and 37 steps of RIPEMD-160.

Download Full-text

A New Design of Cryptographic Hash Function: Gear

International Journal on Perceptive and Cognitive Computing ◽

10.31436/ijpcc.v1i1.14 ◽

2016 ◽

Vol 1 (1) ◽

Author(s):

Abdulaziz M Alkandari ◽

Khalil Ibrahim Alkandari ◽

Imad Fakhri Alshaikhli ◽

Mohammad A. AlAhmad

Keyword(s):

Hash Function ◽

Block Cipher ◽

Hash Functions ◽

Fixed Size ◽

Compression Function ◽

Cryptographic Hash Function ◽

Mode Of Operation ◽

Main Components ◽

Map Data ◽

And Diffusion

A hash function is any function that can be used to map data of arbitrary sizeto data of fixed size. A hash function usually has two main components: a permutationfunction or compression function and mode of operation. We will propose a new concretenovel design of a permutation based hash functions called Gear in this paper. It is a hashfunction based on block cipher in Davies-Meyer mode. It uses the patched version ofMerkle-DamgÃ¥rd, i.e. the wide pipe construction as its mode of operation. Thus, theintermediate chaining value has at least twice larger length than the output hash. Andthe permutations functions used in Gear are inspired from the SHA-3 finalist GrÃ¸estl hashfunction which is originally inspired from Rijndael design (AES). There is a very strongconfusion and diffusion in Gear as a result.

Download Full-text

Block Ciphers with Matrices Operating Alternately over Columns and Rows

Journal of Science and Technology on Information security ◽

10.54654/isj.v2i12.84 ◽

2021 ◽

Vol 2 (12) ◽

pp. 18-29

Author(s):

Pablo Freyre ◽

Oristela Cuellar ◽

Nelson Díaz ◽

Adrián Alfonso

Keyword(s):

Block Cipher ◽

Three Dimensional ◽

Block Ciphers ◽

The State ◽

Rectangular Parallelepiped ◽

Pseudorandom Sequences ◽

Cryptographic Algorithms

Abstract—In this paper, we present the dynamic cryptographic algorithms for long states named ACDEL-2D and ACDEL-3D. The first one was inspired by Rijndael and the second one was inspired by 3D, a three-dimensional block cipher. In both proposals, MDS matrices are used alternately on rows and columns of the state and all transformations used in the encryption process are randomly selected depending on pseudorandom sequences. In the block cipher ACDEL-3D the state takes the form of a rectangular parallelepiped or cuboid.Tóm tắt—Trong bài báo này, chúng tôi trình bày các thuật toán mật mã động cho các trạng thái dài, có tên là ACDEL-2D và ACDEL-3D. Thuật toán đầu tiên bắt nguồn từ thuật toán Rijndael và thuật toán thứ hai bắt nguồn từ thuật toán 3D, một thuật toán với khối dữ liệu được biểu diễn ở dạng ba chiều. Cả hai đề xuất đều sử dụng xen kẽ ma trận MDS trong các hàng và cột của trạng thái và tất cả các phép biến đổi được sử dụng trong quá trình mã hóa được chọn ngẫu nhiên tùy thuộc vào chuỗi giả ngẫu nhiên. Trong mật mã khối ACDEL-3D, trạng thái có dạng hình chữ nhật song song hoặc hình khối.

Download Full-text

SITM: See-In-The-Middle Side-Channel Assisted Middle Round Differential Cryptanalysis on SPN Block Ciphers

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i1.95-122 ◽

2019 ◽

pp. 95-122

Author(s):

Shivam Bhasin ◽

Jakub Breier ◽

Xiaolu Hou ◽

Dirmanto Jap ◽

Romain Poussier ◽

...

Keyword(s):

Block Cipher ◽

State Of The Art ◽

Block Ciphers ◽

Differential Cryptanalysis ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Cryptographic Algorithms ◽

Channel Analysis ◽

Symmetric Block

Side-channel analysis constitutes a powerful attack vector against cryptographic implementations. Techniques such as power and electromagnetic side-channel analysis have been extensively studied to provide an efficient way to recover the secret key used in cryptographic algorithms. To protect against such attacks, countermeasure designers have developed protection methods, such as masking and hiding, to make the attacks harder. However, due to significant overheads, these protections are sometimes deployed only at the beginning and the end of encryption, which are the main targets for side-channel attacks.In this paper, we present a methodology for side-channel assisted differential cryptanalysis attack to target middle rounds of block cipher implementations. Such method presents a powerful attack vector against designs that normally only protect the beginning and end rounds of ciphers. We generalize the attack to SPN based ciphers and calculate the effort the attacker needs to recover the secret key. We provide experimental results on 8-bit and 32-bit microcontrollers. We provide case studies on state-of-the-art symmetric block ciphers, such as AES, SKINNY, and PRESENT. Furthermore, we show how to attack shuffling-protected implementations.

Download Full-text

Collision Attacks on AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis

Journal of Applied Mathematics ◽

10.1155/2013/713673 ◽

2013 ◽

Vol 2013 ◽

pp. 1-10 ◽

Cited By ~ 3

Author(s):

Jinkeon Kang ◽

Kitae Jeong ◽

Jaechul Sung ◽

Seokhie Hong ◽

Kyungho Lee

Keyword(s):

Block Ciphers ◽

Collision Attack ◽

Collision Attacks

At AES’00, a collision attack on 7-round reduced AES was proposed. In this paper, we apply this idea to seven SPN block ciphers, AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis. Applying our attacks on AES-192/256, we improve the attack result based on meet-in-the-middle attack (AES-192) and the attack result proposed in AES’00 (AES-256), respectively. Our attack result on Anubis is superior to known cryptanalytic result on it. In the cases of Crypton-192/256 and mCrypton-96/128, our attacks are applicable to 8-round reduced versions. The attack results on mCrypton-96/128 are more practical than known cryptanalytic results on them.

Download Full-text

Security of a New Cryptographic Hash Function - Titanium

Indonesian Journal of Electrical Engineering and Computer Science ◽

10.11591/ijeecs.v10.i3.pp1244-1250 ◽

2018 ◽

Vol 10 (3) ◽

pp. 1244

Author(s):

Abdullah Nazeeh Saleh ◽

Mohammad A. Al-Ahmad

Keyword(s):

Hash Function ◽

Random Function ◽

Block Cipher ◽

Security Analysis ◽

Differential Cryptanalysis ◽

Brute Force ◽

Cryptographic Hash Function ◽

Design Choice ◽

Differential Attacks

This paper introduces the security analysis of Titanium hash function that uses SF block cipher and follows sponge construction. A brief description of the sponge function and the design choice of Titanium are introduced. Basic security criteria of random function have been presented and studied on Titanium and then, differential cryptanalysis on Titanium has been performed and showed the resistance of it on the most recent differential attacks. A table of security discussions finalizes the paper and describes the complexity of Titanium on brute force cryptanalysis.

Download Full-text

A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i3.73-107 ◽

2017 ◽

pp. 73-107 ◽

Cited By ~ 4

Author(s):

Carlos Cid ◽

Tao Huang ◽

Thomas Peyrin ◽

Yu Sasaki ◽

Ling Song

Keyword(s):

Linear Programming ◽

Mixed Integer Linear Programming ◽

Block Cipher ◽

Security Analysis ◽

Block Ciphers ◽

Mixed Integer ◽

Authenticated Encryption ◽

Search Tool ◽

Caesar Competition ◽

Milp Model

In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a Mixed Integer Linear Programming (MILP) based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 13 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.

Download Full-text

A Method to Bound the Number of Active S-Boxes for a Kind of AES-Like Structure

The Computer Journal ◽

10.1093/comjnl/bxz006 ◽

2019 ◽

Vol 62 (8) ◽

pp. 1121-1131

Author(s):

Qian Wang ◽

Chenhui Jin

Keyword(s):

Lower Bound ◽

Lower Bounds ◽

Hash Function ◽

High Performance ◽

Block Cipher ◽

Hash Functions ◽

Theoretical Method ◽

Building Blocks ◽

Branch Number ◽

Diffusion Layers

AbstractDue to the strong security and high performance of the AES block cipher, many hash functions take AES-like structures as building blocks. To evaluate the security of these AES-like structures against differential cryptanalysis, giving the lower bounds on the number of active S-boxes in a differential trail, is an important perspective. However, the original ‘wide-trail strategy’ for AES becomes less effective to get tight bounds for these AES-like structures, because of the different state dimensions (M×M2, instead of M×M) and different round functions from AES. In this paper, we focus on a kind of AES-like structure with state dimensions M×M2, diffusion-optimal permutations and MixColumns transformations using MDS matrices. Inspired by the ‘wide-trail strategy’, we propose a theoretical method to count active S-boxes, by which we prove that there are at least rBd(Bd−1) active S-boxes in any 2r(r≥3) rounds of such an AES-like structure, where Bd is the differential branch number of the MixColumns transformation and equals to M+1. What’s more, this lower bound can be achieved by some diffusion layers. As examples, we apply our method to the LANE hash function and 3D block cipher, optimal lower bounds are both got.

Download Full-text

Hash functions from superspecial genus-2 curves using Richelot isogenies

Journal of Mathematical Cryptology ◽

10.1515/jmc-2019-0021 ◽

2020 ◽

Vol 14 (1) ◽

pp. 268-292

Author(s):

Wouter Castryck ◽

Thomas Decru ◽

Benjamin Smith

Keyword(s):

Finite Field ◽

Elliptic Curve ◽

Hash Function ◽

Security Analysis ◽

Hash Functions ◽

Square Root ◽

Square Roots ◽

Higher Dimensional ◽

Genus 2 ◽

Genus 2 Curves

AbstractIn 2018 Takashima proposed a version of Charles, Goren and Lauter’s hash function using Richelot isogenies, starting from a genus-2 curve that allows for all subsequent arithmetic to be performed over a quadratic finite field 𝔽p2. In 2019 Flynn and Ti pointed out that Takashima’s hash function is insecure due to the existence of small isogeny cycles. We revisit the construction and show that it can be repaired by imposing a simple restriction, which moreover clarifies the security analysis. The runtime of the resulting hash function is dominated by the extraction of 3 square roots for every block of 3 bits of the message, as compared to one square root per bit in the elliptic curve case; however in our setting the extractions can be parallelized and are done in a finite field whose bit size is reduced by a factor 3. Along the way we argue that the full supersingular isogeny graph is the wrong context in which to study higher-dimensional analogues of Charles, Goren and Lauter’s hash function, and advocate the use of the superspecial subgraph, which is the natural framework in which to view Takashima’s 𝔽p2-friendly starting curve.

Download Full-text