Algebraic Fault Analysis of SHA-256 Compression Function and Its Application

Cryptographic hash functions play an essential role in various aspects of cryptography, such as message authentication codes, pseudorandom number generation, digital signatures, and so on. Thus, the security of their hardware implementations is an important research topic. Hao et al. proposed an algebraic fault analysis (AFA) for the SHA-256 compression function in 2014. They showed that one could recover the whole of an unknown input of the SHA-256 compression function by injecting 65 faults and analyzing the outputs under normal and fault injection conditions. They also presented an almost universal forgery attack on HMAC-SHA-256 using this result. In our work, we conducted computer experiments for various fault-injection conditions in the AFA for the SHA-256 compression function. As a result, we found that one can recover the whole of an unknown input of the SHA-256 compression function by injecting an average of only 18 faults on average. We also conducted an AFA for the SHACAL-2 block cipher and an AFA for the SHA-256 compression function, enabling almost universal forgery of the chopMD-MAC function.

Quantum Free-Start Collision Attacks on Double Block Length Hashing with Round-Reduced AES-256

Recently, Hosoyamada and Sasaki (EUROCRYPT 2020), and Xiaoyang Dong et al. (ASIACRYPT 2020) proposed quantum collision attacks against AES-like hashing modes AES-MMO and AES-MP. Their collision attacks are based on the quantum version of the rebound attack technique exploiting the differential trails whose probabilities are too low to be useful in the classical setting but large enough in the quantum setting. In this work, we present dedicated quantum free-start collision attacks on Hirose’s double block length compression function instantiated with AES-256, namely HCF-AES-256. The best publicly known classical attack against HCF-AES-256 covers up to 9 out of 14 rounds. We present a new 10-round differential trail for HCF-AES-256 with probability 2−160, and use it to find collisions with a quantum version of the rebound attack. Our attack succeeds with a time complexity of 285.11 and requires 216 qRAM in the quantum-attack setting, where an attacker can make only classical queries to the oracle and perform offline computations. We also present a quantum free-start collision attack on HCF-AES-256 with a time complexity of 286.07 which outperforms Chailloux, Naya-Plasencia, and Schrottenloher’s generic quantum collision attack (ASIACRYPT 2017) in a model when large qRAM is not available.

Một cải tiến cận an toàn kháng va chạm cho lược đồ Hirose trong mô hình mã pháp lý tưởng

Tóm tắt— Trong số các hàm nén dựa trên mã khối, có 3 hàm nén độ dài khối kép nổi tiếng đạt được độ an toàn kháng va chạm và kháng tiền ảnh tối ưu (lần lượt lên đến 2n và 22n truy vấn) đó là Abreast-DM, Tandem-DM và lược đồ Hirose. Gần đây đã có một số lược đồ mới được đề xuất, tuy nhiên các chứng minh độ an toàn đều dựa trên các kết quả đã có đối với 3 lược đồ trên. Trong đó, lược đồ Hirose đạt được cận an toàn kháng va chạm và kháng tiền ảnh tốt hơn 2 lược đồ còn lại. Ngoài ra nó còn hiệu quả hơn khi chỉ sử dụng một lược đồ khoá duy nhất cho 2 mã khối cơ sở. Trong bài báo này, chúng tôi đưa ra một cận an toàn kháng va chạm chặt hơn cho lược đồ Hirose. Kết quả khi áp dụng với mã khối có độ dài khối 128 bit và độ dài khoá 256 bit, ví dụ như AES-256, đó là không có một kẻ tấn công bất kỳ nào thực hiện ít hơn 2126.73 truy vấn có thể tìm được một va chạm cho hàm nén Hirose với xác suất lớn hơn 1/2.Abstract— Among the compression functions based on block ciphers, there are three well-known double-block-length compression functions that achieve collision and preimage resistance security (up to 2n and 22n, respectively) that are Abreast-DM, Tandem-DM and Hirose scheme. Recently, several new schemes have been proposed, but the security proofs are based on the results available for the three schemes above. In particular, the Hirose Scheme that achieves impact resistance and preimage resistance is better than the other two schemes. In addition, it is more efficient to use only a single key scheme for 2 base block ciphers. In this paper, we give a more secure collision resistance for the Hirose scheme. The result when applied to block ciphers with a 128-bit block length and a 256-bit key length, such as AES-256, is that no attacker make less than 2126.73queries can find a collision for Hirose compression function with a probability greater than 1/2.

A new proof for the security of the keyed Sponge construction in the ideal compression function model

Abstract— In this paper, we present a new proof for the security of keyed Sponge. Our method is built on the previous result about the indistinguishability of the Sponge construction. Following this approach, we can see the strong relationship between the security of keyed Sponge and its original version.Tóm tắt— Trong bài báo này, chúng tôi đưa ra một chứng minh mới cho độ an toàn của cấu trúc Sponge có khóa. Phương pháp của chúng tôi sử dụng kết quả trước đó về tính không phân biệt được của cấu trúc Sponge. Theo cách tiếp cận này, chúng ta có thể thấy mối liên hệ chặt chẽ về độ an toàn của cấu trúc Sponge có khóa và phiên bản nguyên thủy của nó.

One-Way Hash Function Based on Delay-Induced Hyperchaos

A scheme for constructing one-way Hash function based on hyperchaos induced by time delay and key-stream function iteration is proposed in this paper. In this scheme, the plaintext and secret key are used as the initial value in two hyperchaotic Chen systems; these values are evolved in a hyperchaotic way during a predefined period. The results of the evolution are quantified and iterated using key-stream function iteration to confuse and diffuse the plaintext and secret key. The cipher block chaining mode is used to generate a 128 bits Hash value for a plaintext of arbitrary length. Theoretical analysis and simulation results indicate that the proposed algorithm has satisfactory performance, such as value compression function, irreversibility, initial value sensitivity, forgery resistance and collision resistance.

A Mathematical Approach to Consider Solid Compressibility in the Compression of Pharmaceutical Powders

In-die compression analysis is an effective method for the characterization of powder compressibility. However, physically unreasonable apparent solid fractions above one or apparent in-die porosities below zero are often calculated for higher compression stresses. One important reason for this is the neglect of solid compressibility and hence the assumption of a constant solid density. In this work, the solid compressibility of four pharmaceutical powders with different deformation behaviour is characterized using mercury porosimetry. The derived bulk moduli are applied for the calculation of in-die porosities. The change of in-die porosity due to the consideration of solid compressibility is for instance up to 4% for microcrystalline cellulose at a compression stress of 400 MPa and thus cannot be neglected for the calculation of in-die porosities. However, solid compressibility and further uncertainties from, for example the measured solid density and from the displacement sensors, are difficult or only partially accessible. Therefore, a mathematic term for the calculation of physically reasonable in-die porosities is introduced. This term can be used for the extension of common mathematical models, such as the models of Heckel and of Cooper & Eaton. Additionally, an extended in-die compression function is introduced to precisely describe the entire range of in-die porosity curves and to enable the successful differentiation and quantification of the compression behaviour of the investigated pharmaceutical powders.