scispace - formally typeset

Author

Florian Mendel

Bio: Florian Mendel is an academic researcher from Infineon Technologies. The author has contributed to research in topic(s): Hash function & Collision attack. The author has an hindex of 31, co-authored 147 publication(s) receiving 3430 citation(s). Previous affiliations of Florian Mendel include Katholieke Universiteit Leuven & Graz University of Technology.
Papers
More filters

Book ChapterDOI
13 Jul 2009
TL;DR: The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail.
Abstract: In this work, we propose the rebound attack, a new tool for the cryptanalysis of hash functions. The idea of the rebound attack is to use the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail. The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom, and a subsequent probabilistic outbound phase. Especially on AES based hash functions, the rebound attack leads to new attacks for a surprisingly high number of rounds. We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit hash function Whirlpool with a complexity of 2120 compression function evaluations and negligible memory requirements. The attack can be extended to a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 rounds of the similar hash function Maelstrom. Additionally, we apply the rebound attack to the SHA-3 submission Grostl, which leads to an attack on 6 rounds of the Grostl-256 compression function with a complexity of 2120 and memory requirements of about 264.

256 citations


Journal Article
TL;DR: Grostl is a SHA-3 candidate proposal, an iterated hash function with a compression function built from two fixed, large, distinct permutations, which has the effect that all known, generic attacks on the hash function are made much more difficult.
Abstract: Grostl is a SHA-3 candidate proposal. Grostl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grostl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grostl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grostl. Grostl is a so-called wide-pipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grostl has good performance on a wide range of platforms and counter-measures against side-channel attacks are well-understood from similar work on the AES.

236 citations


Proceedings Article
01 Jan 2009
Abstract: Grostl is a SHA-3 candidate proposal. Grostl is an iterated hash function with a compression function built from two �fixed, large, distinct permutations. The design of Grostl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grostl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grostl

184 citations


Book ChapterDOI
02 Dec 2009
TL;DR: This work presents a distinguishing attack on the full compression function of Whirlpool by improving the rebound attack on reducedWhirlpool with two new techniques and shows how to turn this near-collision attack into a distinguishable attack for the full 10 round compression function.
Abstract: Whirlpool is a hash function based on a block cipher that can be seen as a scaled up variant of the AES The main difference is the (compared to AES) extremely conservative key schedule In this work, we present a distinguishing attack on the full compression function of Whirlpool We obtain this result by improving the rebound attack on reduced Whirlpool with two new techniques First, the inbound phase of the rebound attack is extended by up to two rounds using the available degrees of freedom of the key schedule This results in a near-collision attack on 95 rounds of the compression function of Whirlpool with a complexity of 2176 and negligible memory requirements Second, we show how to turn this near-collision attack into a distinguishing attack for the full 10 round compression function of Whirlpool This is the first result on the full Whirlpool compression function

151 citations


Book ChapterDOI
11 Mar 2013
TL;DR: This paper proposes a new Authenticated Lightweight Encryption algorithm coined ALE, an online single-pass authenticated encryption algorithm that supports optional associated data and its security relies on using nonces.
Abstract: In this paper, we propose a new Authenticated Lightweight Encryption algorithm coined ALE. The basic operation of ALE is the AES round transformation and the AES-128 key schedule. ALE is an online single-pass authenticated encryption algorithm that supports optional associated data. Its security relies on using nonces.

96 citations


Cited by
More filters

Journal ArticleDOI

[...]

08 Dec 2001-BMJ
TL;DR: There is, I think, something ethereal about i —the square root of minus one, which seems an odd beast at that time—an intruder hovering on the edge of reality.
Abstract: There is, I think, something ethereal about i —the square root of minus one. I remember first hearing about it at school. It seemed an odd beast at that time—an intruder hovering on the edge of reality. Usually familiarity dulls this sense of the bizarre, but in the case of i it was the reverse: over the years the sense of its surreal nature intensified. It seemed that it was impossible to write mathematics that described the real world in …

30,199 citations



Book ChapterDOI
28 Sep 2011
TL;DR: This work considers the resistance of ciphers, and LED in particular, to related-key attacks, and is able to derive simple yet interesting AES-like security proofs for LED regarding related- or single- key attacks.
Abstract: We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.

736 citations


Journal ArticleDOI
TL;DR: This paper has implemented a proof-of-concept for decentralized energy trading system using blockchain technology, multi-signatures, and anonymous encrypted messaging streams, enabling peers to anonymously negotiate energy prices and securely perform trading transactions.
Abstract: Smart grids equipped with bi-directional communication flow are expected to provide more sophisticated consumption monitoring and energy trading. However, the issues related to the security and privacy of consumption and trading data present serious challenges. In this paper we address the problem of providing transaction security in decentralized smart grid energy trading without reliance on trusted third parties. We have implemented a proof-of-concept for decentralized energy trading system using blockchain technology, multi-signatures, and anonymous encrypted messaging streams, enabling peers to anonymously negotiate energy prices and securely perform trading transactions. We conducted case studies to perform security analysis and performance evaluation within the context of the elicited security and privacy requirements.

697 citations


Book ChapterDOI
04 Dec 2011
TL;DR: This paper presents the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: the first key recovery method for the full AES-128 with computational complexity 2126.1.4 and key recovery methods with lower complexity for the reduced-round versions of AES not considered before.
Abstract: Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: The first key recovery method for the full AES-128 with computational complexity 2126.1. The first key recovery method for the full AES-192 with computational complexity 2189.7. The first key recovery method for the full AES-256 with computational complexity 2254.4. Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9. Preimage search for compression functions based on the full AES versions faster than brute force. In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.

502 citations


Network Information
Related Authors (5)
Martin Schläffer

64 papers, 2.3K citations

98% related
Norbert Pramstaller

40 papers, 1.5K citations

96% related
Christian Rechberger

157 papers, 7K citations

93% related
Vincent Rijmen

284 papers, 15.8K citations

89% related
Thomas Peyrin

142 papers, 4.3K citations

88% related
Performance
Metrics

Author's H-index: 31

No. of papers from the Author in previous years
YearPapers
20211
20202
20193
20185
20177
201612