A Method to Bound the Number of Active S-Boxes for a Kind of AES-Like Structure

2019 ◽  
Vol 62 (8) ◽  
pp. 1121-1131
Author(s):  
Qian Wang ◽  
Chenhui Jin
Keyword(s):  
Lower Bound ◽  
Lower Bounds ◽  
Hash Function ◽  
High Performance ◽  
Block Cipher ◽  
Hash Functions ◽  
Theoretical Method ◽  
Building Blocks ◽  
Branch Number ◽  
Diffusion Layers

AbstractDue to the strong security and high performance of the AES block cipher, many hash functions take AES-like structures as building blocks. To evaluate the security of these AES-like structures against differential cryptanalysis, giving the lower bounds on the number of active S-boxes in a differential trail, is an important perspective. However, the original ‘wide-trail strategy’ for AES becomes less effective to get tight bounds for these AES-like structures, because of the different state dimensions (M×M2, instead of M×M) and different round functions from AES. In this paper, we focus on a kind of AES-like structure with state dimensions M×M2, diffusion-optimal permutations and MixColumns transformations using MDS matrices. Inspired by the ‘wide-trail strategy’, we propose a theoretical method to count active S-boxes, by which we prove that there are at least rBd(Bd−1) active S-boxes in any 2r(r≥3) rounds of such an AES-like structure, where Bd is the differential branch number of the MixColumns transformation and equals to M+1. What’s more, this lower bound can be achieved by some diffusion layers. As examples, we apply our method to the LANE hash function and 3D block cipher, optimal lower bounds are both got.

scholarly journals A New Design of Cryptographic Hash Function: Gear

2016 ◽  
Vol 1 (1) ◽  
Author(s):  
Abdulaziz M Alkandari ◽  
Khalil Ibrahim Alkandari ◽  
Imad Fakhri Alshaikhli ◽  
Mohammad A. AlAhmad
Keyword(s):  
Hash Function ◽  
Block Cipher ◽  
Hash Functions ◽  
Fixed Size ◽  
Compression Function ◽  
Cryptographic Hash Function ◽  
Mode Of Operation ◽  
Main Components ◽  
Map Data ◽  
And Diffusion

A hash function is any function that can be used to map data of arbitrary sizeto data of fixed size. A hash function usually has two main components: a permutationfunction or compression function and mode of operation. We will propose a new concretenovel design of a permutation based hash functions called Gear in this paper. It is a hashfunction based on block cipher in Davies-Meyer mode. It uses the patched version ofMerkle-Damgård, i.e. the wide pipe construction as its mode of operation. Thus, theintermediate chaining value has at least twice larger length than the output hash. Andthe permutations functions used in Gear are inspired from the SHA-3 finalist Grøestl hashfunction which is originally inspired from Rijndael design (AES). There is a very strongconfusion and diffusion in Gear as a result.

scholarly journals Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

2017 ◽  
pp. 1-29 ◽  
Author(s):  
Stefan Kölbl ◽  
Martin M. Lauridsen ◽  
Florian Mendel ◽  
Christian Rechberger
Keyword(s):  
Hash Function ◽  
High Performance ◽  
Hash Functions ◽  
Low Latency ◽  
Design Strategies ◽  
Signature Schemes ◽  
Collision Resistance ◽  
Preimage Resistance ◽  
Function Design ◽  
General Tool

Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials.

scholarly journals Lightweight Iterative MDS Matrices: How Small Can We Go?

2020 ◽  
pp. 147-170
Author(s):  
Shun Li ◽  
Siwei Sun ◽  
Danping Shi ◽  
Chaoyun Li ◽  
Lei Hu
Keyword(s):  
Lower Bound ◽  
Design Space ◽  
Low Cost ◽  
Optimal Solution ◽  
Building Blocks ◽  
Block Matrix ◽  
Diffusion Layers ◽  
Binary Matrices ◽  
Symmetric Key ◽  
Iterative Construction

As perfect building blocks for the diffusion layers of many symmetric-key primitives, the construction of MDS matrices with lightweight circuits has received much attention from the symmetric-key community. One promising way of realizing low-cost MDS matrices is based on the iterative construction: a low-cost matrix becomes MDS after rising it to a certain power. To be more specific, if At is MDS, then one can implement A instead of At to achieve the MDS property at the expense of an increased latency with t clock cycles. In this work, we identify the exact lower bound of the number of nonzero blocks for a 4 × 4 block matrix to be potentially iterative-MDS. Subsequently, we show that the theoretically lightest 4 × 4 iterative MDS block matrix (whose entries or blocks are 4 × 4 binary matrices) with minimal nonzero blocks costs at least 3 XOR gates, and a concrete example achieving the 3-XOR bound is provided. Moreover, we prove that there is no hope for previous constructions (GFS, LFS, DSI, and spares DSI) to beat this bound. Since the circuit latency is another important factor, we also consider the lower bound of the number of iterations for certain iterative MDS matrices. Guided by these bounds and based on the ideas employed to identify them, we explore the design space of lightweight iterative MDS matrices with other dimensions and report on improved results. Whenever we are unable to find better results, we try to determine the bound of the optimal solution. As a result, the optimality of some previous results is proved.

scholarly journals Lightweight Diffusion Layer: Importance of Toeplitz Matrices

2016 ◽  
pp. 95-113 ◽  
Author(s):  
Sumanta Sarkar ◽  
Habeeb Syed
Keyword(s):  
Lower Bound ◽  
Diffusion Layer ◽  
Hardware Implementation ◽  
Toeplitz Matrices ◽  
Building Blocks ◽  
Block Ciphers ◽  
Implementation Cost ◽  
Mds Matrix ◽  
Minimum Value ◽  
Diffusion Layers

MDS matrices are used as building blocks of diffusion layers in block ciphers, and XOR count is a metric that estimates the hardware implementation cost. In this paper we report the minimum value of XOR counts of 4 × 4 MDS matrices over F24 and F28 , respectively. We give theoretical constructions of Toeplitz MDS matrices and show that they achieve the minimum XOR count. We also prove that Toeplitz matrices cannot be both MDS and involutory. Further we give theoretical constructions of 4 × 4 involutory MDS matrices over F24 and F28 that have the best known XOR counts so far: for F24 our construction gives an involutory MDS matrix that actually improves the existing lower bound of XOR count, whereas for F28 , it meets the known lower bound.

scholarly journals Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model

2020 ◽  
pp. 1-22
Author(s):  
Aldo Gunsing ◽  
Joan Daemen ◽  
Bart Mennink
Keyword(s):  
Hash Function ◽  
Block Cipher ◽  
Hash Functions ◽  
The State ◽  
Use Cases ◽  
Limited Impact ◽  
Double Decker ◽  
Keyed Hash Function ◽  
Pseudorandom Function ◽  
Strong Claim

We present two tweakable wide block cipher modes from doubly-extendable cryptographic keyed (deck) functions and a keyed hash function: double-decker and docked-double-decker. Double-decker is a direct generalization of Farfalle-WBC of Bertoni et al. (ToSC 2017(4)), and is a four-round Feistel network on two arbitrarily large branches, where the middle two rounds call deck functions and the first and last rounds call the keyed hash function. Docked-double-decker is a variant of double-decker where the bulk of the input to the deck functions is moved to the keyed hash functions. We prove that the distinguishing advantage of the resulting wide block ciphers is simply two times the sum of the pseudorandom function distinguishing advantage of the deck function and the blinded keyed hashing distinguishing advantage of the keyed hash functions. We demonstrate that blinded keyed hashing is more general than the conventional notion of XOR-universality, and that it allows us to instantiate our constructions with keyed hash functions that have a very strong claim on bkh security but not necessarily on XOR-universality, such as Xoofffie (ePrint 2018/767). The bounds of double-decker and docked-double-decker are moreover reduced tweak-dependent, informally meaning that collisions on the keyed hash function for different tweaks only have a limited impact. We describe two use cases that can exploit this property opportunistically to get stronger security than what would be achieved with prior solutions: SSD encryption, where each sector can only be written to a limited number of times, and incremental tweaks, where one includes the state of the system in the variable-length tweak and appends new data incrementally.

scholarly journals Quantum rebound attack to D-M structure based on ARIA algorithm

2021 ◽  
Vol 2078 (1) ◽  
pp. 012003
Author(s):  
Shanque Dou ◽  
Ming Mao ◽  
Yanjun Li ◽  
Dongying Qiu
Keyword(s):  
Quantum Computing ◽  
Hash Function ◽  
Block Cipher ◽  
Security Analysis ◽  
Hash Functions ◽  
Block Ciphers ◽  
Collision Attack ◽  
Cryptographic Algorithms ◽  
Collision Attacks ◽  
Quantum Technology

Abstract With the increasing application of quantum computing, quantum technology is increasingly used in the security analysis and research of multiple symmetric cryptographic algorithms such as block ciphers and hash functions. In 2020, Sasaki et al. proposed a dedicated quantum collision attack against hash functions in EUROCRYPT. Some differential trajectories with a probability of 2−2n/3 that cannot be used in the classical environment may be used to launch collision attacks in the quantum environment. The ARIA algorithm is a block cipher proposed by the Korean researcher Kwon et al. on ICISC 2003. The block cipher algorithm is similar to AES in structure. This article mainly analyzes the security of Davies-Meyer structure, and uses AIRA as the permutation function to construct ARIA hash function based on the DM hash model. A new AIRA differential path was found based on MILP, and 7 rounds of ARIA-DM hash function quantum rebound attacks were given.

A Lower Bound for Schur Numbers and Multicolor Ramsey Numbers

10.37236/1188 ◽  
1994 ◽  
Vol 1 (1) ◽  
Author(s):  
Geoffrey Exoo
Keyword(s):  
Lower Bound ◽  
Lower Bounds ◽  
Ramsey Numbers

For $k \geq 5$, we establish new lower bounds on the Schur numbers $S(k)$ and on the k-color Ramsey numbers of $K_3$.

Data Integrity

2017 ◽  
Author(s):  
Keith M. Martin
Keyword(s):  
Hash Function ◽  
Hash Functions ◽  
Data Integrity ◽  
Message Authentication ◽  
Authenticated Encryption ◽  
Authentication Codes ◽  
Basic Model ◽  
Function Design ◽  
Security Properties ◽  
Different Levels

This chapter discusses cryptographic mechanisms for providing data integrity. We begin by identifying different levels of data integrity that can be provided. We then look in detail at hash functions, explaining the different security properties that they have, as well as presenting several different applications of a hash function. We then look at hash function design and illustrate this by discussing the hash function SHA-3. Next, we discuss message authentication codes (MACs), presenting a basic model and discussing basic properties. We compare two different MAC constructions, CBC-MAC and HMAC. Finally, we consider different ways of using MACs together with encryption. We focus on authenticated encryption modes, and illustrate these by describing Galois Counter mode.

scholarly journals A Lower Bound for the Query Phase of Contraction Hierarchies and Hub Labels and a Provably Optimal Instance-Based Schema

Algorithms ◽  
2021 ◽  
Vol 14 (6) ◽  
pp. 164
Author(s):  
Tobias Rupp ◽  
Stefan Funke
Keyword(s):  
Lower Bound ◽  
Lower Bounds ◽  
Real World ◽  
Road Network ◽  
Upper And Lower Bounds ◽  
Bounded Degree ◽  
Shortest Path Routing ◽  
Graph Classes ◽  
Speed Up ◽  
To Come

We prove a Ω(n) lower bound on the query time for contraction hierarchies (CH) as well as hub labels, two popular speed-up techniques for shortest path routing. Our construction is based on a graph family not too far from subgraphs that occur in real-world road networks, in particular, it is planar and has a bounded degree. Additionally, we borrow ideas from our lower bound proof to come up with instance-based lower bounds for concrete road network instances of moderate size, reaching up to 96% of an upper bound given by a constructed CH. For a variant of our instance-based schema applied to some special graph classes, we can even show matching upper and lower bounds.

scholarly journals On Computing Multilinear Polynomials Using Multi- r -ic Depth Four Circuits

2021 ◽  
Vol 13 (3) ◽  
pp. 1-21
Author(s):  
Suryajith Chillara
Keyword(s):  
Lower Bound ◽  
Lower Bounds ◽  
Complexity Measure ◽  
Natural Question ◽  
Multilinear Polynomial ◽  
Arithmetic Circuit ◽  
Theory Of Computing ◽  
Small Constant ◽  
Multilinear Polynomials ◽  
The Individual

In this article, we are interested in understanding the complexity of computing multilinear polynomials using depth four circuits in which the polynomial computed at every node has a bound on the individual degree of r ≥ 1 with respect to all its variables (referred to as multi- r -ic circuits). The goal of this study is to make progress towards proving superpolynomial lower bounds for general depth four circuits computing multilinear polynomials, by proving better bounds as the value of r increases. Recently, Kayal, Saha and Tavenas (Theory of Computing, 2018) showed that any depth four arithmetic circuit of bounded individual degree r computing an explicit multilinear polynomial on n O (1) variables and degree d must have size at least ( n / r 1.1 ) Ω(√ d / r ) . This bound, however, deteriorates as the value of r increases. It is a natural question to ask if we can prove a bound that does not deteriorate as the value of r increases, or a bound that holds for a larger regime of r . In this article, we prove a lower bound that does not deteriorate with increasing values of r , albeit for a specific instance of d = d ( n ) but for a wider range of r . Formally, for all large enough integers n and a small constant η, we show that there exists an explicit polynomial on n O (1) variables and degree Θ (log 2 n ) such that any depth four circuit of bounded individual degree r ≤ n η must have size at least exp(Ω(log 2 n )). This improvement is obtained by suitably adapting the complexity measure of Kayal et al. (Theory of Computing, 2018). This adaptation of the measure is inspired by the complexity measure used by Kayal et al. (SIAM J. Computing, 2017).

Sign in / Sign up

Export Citation Format

Share Document