Showing papers by "Florian Mendel published in 2012"

Differential analysis of the LED block cipher

Abstract: In this paper, we present a security analysis of the lightweight block cipher LED proposed by Guo et al. at CHES 2011. Since the design of LED is very similar to the Even-Mansour scheme, we first review existing attacks on this scheme and extend them to related-key and related-key-cipher settings before we apply them to LED. We obtain results for 12 and 16 rounds (out of 32) for LED-64 and 16 and 24 rounds (out of 48) for LED-128. Furthermore, we present an observation on full LED in the related-key-cipher setting. For all these attacks we need to find good differentials for one step (4 rounds) of LED. Therefore, we extend the study of plateau characteristics for AES-like structures from two rounds to four rounds when the key addition is replaced with a constant addition. We introduce an algorithm that can be used to find good differentials and right pairs for one step of LED. To be more precise, we can find more than 210 right pairs for one step of LED with complexity of 216 and memory requirement of 5 ×217. Moreover, a similar algorithm can also be used to find iterative characteristics for the LED.

Collision attacks on the reduced dual-stream hash function RIPEMD-128

Abstract: In this paper, we analyze the security of RIPEMD-128 against collision attacks. The ISO/IEC standard RIPEMD-128 was proposed 15 years ago and may be used as a drop-in replacement for 128-bit hash functions like MD5. Only few results have been published for RIPEMD-128, the best being a preimage attack for the first 33 steps of the hash function with complexity 2124.5. In this work, we provide a new assessment of the security margin of RIPEMD-128 by showing attacks on up to 48 (out of 64) steps of the hash function. We present a collision attack reduced to 38 steps and a near-collisions attack for 44 steps, both with practical complexity. Furthermore, we show non-random properties for 48 steps of the RIPEMD-128 hash function, and provide an example for a collision on the compression function for 48 steps. For all attacks we use complex nonlinear differential characteristics. Due to the more complicated dual-stream structure of RIPEMD-128 compared to its predecessor, finding high-probability characteristics as well as conforming message pairs is nontrivial. Doing any of these steps by hand is almost impossible or at least, very time consuming. We present a general strategy to analyze dual-stream hash functions and use an automatic search tool for the two main steps of the attack. Our tool is able to find differential characteristics and perform advanced message modification simultaneously in the two streams.

Differential attacks on reduced RIPEMD-160

Abstract: In this work, we provide the first security analysis of reduced RIPEMD-160 regarding its collision resistance with practical complexity. The ISO/IEC standard RIPEMD-160 was proposed 15 years ago and may be used as a drop-in replacement for SHA-1 due to their same hash output length. Only few results have been published for RIPEMD-160 so far and most attacks have a complexity very close to the generic bound. In this paper, we present the first application of the attacks of Wang et al. on MD5 and SHA-1 to RIPEMD-160. Due to the dual-stream structure of RIPEMD-160 the application of these attacks is nontrivial and almost impossible without the use of automated tools. We present practical examples of semi-free-start near-collisions for the middle 48 steps (out of 80) and semi-free-start collisions for 36 steps of RIPEMD-160. Furthermore, our results show that the differential characteristics get very dense in RIPEMD-160 such that a full-round attack seems unlikely in the near future.

Memoryless near-collisions via coding theory

Abstract: We investigate generic methods to find near-collisions in cryptographic hash functions. We introduce a new generic approach based on methods to find cycles in the space of codewords of a code with low covering radius. We give an analysis of our approach and demonstrate it on the SHA-3 candidate TIB3.

A Simple Key-Recovery Attack on McOE-X

Abstract: In this paper, we present a key-recovery attack on the online authenticated encryption scheme McOE-X proposed by Fleischmann et al. at FSE 2012. The attack is based on the observation that in McOE-X the key is changed for every block of message that is encrypted in a deterministic way. This allows an adversary to recover the key by using a standard time-memory trade-off strategy. On its best setting the attack has a complexity as low as 2 ·2 n/2, while this should be 2 n for a good scheme. Taking AES-128 as an example this would result in an attack with complexity of 265.

Differential Analysis of the LED Block Cipher

Abstract: In this paper, we present a security analysis of the lightweight block cipher LED proposed by Guo et al. at CHES 2011. Since the design of LED is very similar to the Even-Mansour scheme, we first review existing attacks on this scheme and extend them to related-key and related-key-cipher settings before we apply them to LED. We obtain results for 12 and 16 rounds (out of 32) for LED-64 and 16 and 24 rounds (out of 48) for LED-128. Furthermore, we present an observation on full LED in the related-key-cipher setting. For all these attacks we need to find good differentials for one step (4 rounds) of LED. Therefore, we extend the study of plateau characteristics for AES-like structures from two rounds to four rounds when the key addition is replaced with a constant addition. We introduce an algorithm that can be used to find good differentials and right pairs for one step of LED. To be more precise, we can find more than 210 right pairs for one step of LED with complexity of 216 and memory requirement of 5 ×217. Moreover, a similar algorithm can also be used to find iterative characteristics for the LED.

Differential Analysis of the LED Block Cipher.

Abstract: In this paper, we present a security analysis of the lightweight block cipher LED proposed by Guo et al. at CHES 2011. Since the design of LED is very similar to the Even-Mansour scheme, we first review existing attacks on this scheme and extend them to related-key and related-key-cipher settings before we apply them to LED. We obtain results for 12 and 16 rounds (out of 32) for LED-64 and 16 and 24 rounds (out of 48) for LED-128. Furthermore, we present an observation on LED in the relatedkey-cipher setting. For all these attacks we need to find good differentials for one step (4 rounds) of LED. Therefore, we extend the study of plateau characteristics for AES-like structures from two rounds to four rounds when the key addition is replaced with a constant addition. We introduce an algorithm that can be used to find good differentials and right pairs for one step of LED. To be more precise, we can find more than 2 right pairs for one step of LED with complexity of 2 and memory requirement of 5× 2. Moreover, a similar algorithm can also be used to find iterative characteristics for LED.

Collision Attack on the Hamsi-256 Compression Function

Abstract: Hamsi-256 is a cryptographic hash functions submitted by Kucuk to the NIST SHA-3 competition in 2008. It was selected by NIST as one of the 14 round 2 candidates in 2009. Even though Hamsi-256 did not make it to the final round in 2010 it is still an interesting target for cryptanalysts. Since Hamsi-256 has been proposed, it received a great deal of cryptanalysis. Besides the second-preimage attacks on the hash function, most cryptanalysis focused on non-random properties of the compression function or output transformation of Hamsi-256. Interestingly, the collision resistance of the hash or compression function got much less attention. In this paper, we present a collision attack on the Hamsi-256 compression function with a complexity of about 2124.1.

Collision Attack on the Hamsi-256 Compression Function

Abstract: Hamsi-256 is a cryptographic hash functions submitted by Kucuk to the NIST SHA-3 competition in 2008. It was selected by NIST as one of the 14 round 2 candidates in 2009. Even though Hamsi-256 did not make it to the final round in 2010 it is still an interesting target for cryptanalysts. Since Hamsi-256 has been proposed, it received a great deal of cryptanalysis. Besides the second-preimage attacks on the hash function, most cryptanalysis focused on non-random properties of the compression function or output transformation of Hamsi-256. Interestingly, the collision resistance of the hash or compression function got much less attention. In this paper, we present a collision attack on the Hamsi-256 compression function with a complexity of about 2124.1.

Preimage Attacks against PKC98-Hash and HAS-V

Abstract: We propose preimage attacks against PKC98-Hash and HAS-V. PKC98-Hash is a 160-bit hash function proposed at PKC 1998, and HAS-V, a hash function proposed at SAC 2000, can produce hash values of 128+32k (k=0,1,...,6) bits. These hash functions adopt the Merkle-Damgard and Davies-Meyer constructions. One unique characteristic of these hash functions is that their step functions are not injective with a fixed message. We utilize this property to mount preimage attacks against these hash functions. Note that these attacks can work for an arbitrary number of steps. The best proposed attacks generate preimages of PKC98-Hash and HAS-V-320 in 264 and 2256 compression function computations with negligible memory, respectively. This is the first preimage attack against the full PKC98-Hash function.