Showing papers by "Florian Mendel published in 2013"
11 Mar 2013
TL;DR: This paper proposes a new Authenticated Lightweight Encryption algorithm coined ALE, an online single-pass authenticated encryption algorithm that supports optional associated data and its security relies on using nonces.
Abstract: In this paper, we propose a new Authenticated Lightweight Encryption algorithm coined ALE. The basic operation of ALE is the AES round transformation and the AES-128 key schedule. ALE is an online single-pass authenticated encryption algorithm that supports optional associated data. Its security relies on using nonces.
106 citations
20 Aug 2013
TL;DR: Fides is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit security, respectively, which is at least two times smaller than its closest competitors Hummingbird-2 and Grain-128a.
Abstract: In this paper, we present a novel lightweight authenticated cipher optimized for hardware implementations called Fides. It is an online nonce-based authenticated encryption scheme with authenticated data whose area requirements are as low as 793 GE and 1001 GE for 80-bit and 96-bit security, respectively. This is at least two times smaller than its closest competitors Hummingbird-2 and Grain-128a. While being extremely compact, Fides is both throughput and latency efficient, even in its most serial implementations. This is attained by our novel sponge-like design approach. Moreover, cryptographically optimal 5-bit and 6-bit S-boxes are used as basic nonlinear components while paying a special attention on the simplicity of providing first order side-channel resistance with threshold implementation.
84 citations
26 May 2013
TL;DR: In this paper, the authors focus on the construction of semi-free-start collisions for SHA-256, and show how to turn them into collisions using a two-block approach.
Abstract: In this paper, we focus on the construction of semi-free-start collisions for SHA-256, and show how to turn them into collisions. We present a collision attack on 28 steps of the hash function with practical complexity. Using a two-block approach we are able to turn a semi-free-start collision into a collision for 31 steps with a complexity of at most 265.5. The main improvement of our work is to extend the size of the local collisions used in these attacks. To construct differential characteristics and confirming message pairs for longer local collisions, we had to improve the search strategy of our automated search tool. To test the limits of our techniques we present a semi-free-start collision for 38 steps.
71 citations
25 Feb 2013
TL;DR: This work provides the first security analysis of reduced SM3 regarding its collision resistance and extends the methods used in the recent collision attacks on SHA-2 and shows how the techniques can be effectively applied to SM3.
Abstract: In this work, we provide the first security analysis of reduced SM3 regarding its collision resistance. SM3 is a Chinese hash function standard published by the Chinese Commercial Cryptography Administration Office for the use of electronic authentication service systems and hence, might be used in several cryptographic applications in China. So far only few results have been published for the SM3 hash function. Since the design of SM3 is very similar to the MD4 family of hash functions and in particular to SHA-2, a revaluation of the security of SM3 regarding collision resistance is important taking into account recent advances in the cryptanalysis of SHA-2. In this paper, we extend the methods used in the recent collision attacks on SHA-2 and show how the techniques can be effectively applied to SM3. Our results are a collision attack on the hash function for 20 out of 64 steps and a free-start collision attack for 24 steps of SM3, both with practical complexity.
19 citations
17 Dec 2013
TL;DR: Reducing the capacity to the output size of the SHA-3 standard slightly improves attacks, while reducing the permutation size degrades attacks on Keccak.
Abstract: In October 2012, NIST has announced Keccak as the winner of the SHA-3 cryptographic hash function competition. Recently, at CT-RSA 2013, NIST brought up the idea to standardize Keccak variants with different parameters than those submitted to the SHA-3 competition. In particular, NIST considers to reduce the capacity to the output size of the SHA-3 standard and additionally, standardize a Keccak variant with a permutation size of 800 instead of 1600 bits. However, these variants have not been analyzed very well during the SHA-3 competition. Especially for the variant using an 800-bit permutation no analysis on the hash function has been published so far.
In this work, we analyze these newly proposed Keccak variants and provide practical collisions for up to 4 rounds for all output sizes by constructing internal collisions. Our attacks are based on standard differential cryptanalysis contrary to the recent attacks by Dinur at al. from FSEi¾ź2013. We use a non-linear low probability path for the first two rounds and use methods from coding theory to find a high-probability path for the last two rounds. The low probability path as well as the conforming message pair is found using an automatic differential path search tool. Our results indicate that reducing the capacity slightly improves attacks, while reducing the permutation size degrades attacks on Keccak.
17 citations
01 Dec 2013
TL;DR: An improved cryptanalysis of the double-branch hash function standard RIPEMD-160 is proposed using a carefully designed non-linear path search tool and it is shown that some of these message words can lead to very good differential path candidates.
Abstract: In this article, we propose an improved cryptanalysis of the double-branch hash function standard RIPEMD-160. Using a carefully designed non-linear path search tool, we study the potential differential paths that can be constructed from a difference in a single message word and show that some of these message words can lead to very good differential path candidates. Leveraging the recent freedom degree utilization technique from Landelle and Peyrin to merge two branch instances, we eventually manage to obtain a semi-free-start collision attack for 42 steps of the RIPEMD-160 compression function, while the previously best know result reached 36 steps. In addition, we also describe a 36-step semi-free-start collision attack which starts from the first step.
15 citations
01 Jan 2013
TL;DR: This paper proposes a new approach to propagate information for affine functions and compares it to the approach used in recent hash function attacks and shows that it performs much better than the previously used methods.
Abstract: The most successful attacks on cryptographic hash functions are based on differential cryptanalysis, where the main problem is to find a differential characteristic. Finding a differential characteristic is equivalent to solving a system of nonlinear equations. Solving these equations is usually done by a guess-anddetermine approach. Recently, automated tools performing a guess-and-determine approach based on the concept of generalized conditions have been used to attack many hash functions. The core part of such tools is the propagation of information. In this paper, we propose a new approach to propagate information for affine functions and compare it to the approach used in recent hash function attacks. We apply our method to the linear functions σi and Σi used in SHA-2 and to the linear layer of SHA-3. We show that our approach performs much better than the previously used methods.
6 citations
25 Feb 2013
TL;DR: The security of the block cipher when used as a compression function is discussed and the advantage of slow diffusion mechanism of the key schedule is taken and free-start collisions for WIDEA-8 are presented.
Abstract: WIDEA is a family of block ciphers inspired by the IDEA block cipher. The design uses n-parallel instances of IDEA with an improved key schedule to obtain block ciphers with larger block sizes. Moreover, the given design is suggested as the compression function for Davies-Meyer mode. In this paper, we discuss the security of the block cipher when used as a compression function. Inspired by the weak key attacks on IDEA, we take the advantage of slow diffusion mechanism of the key schedule and present free-start collisions for WIDEA-8 which is the specified version by designers. Our results are practical and we are able to obtain free-start collisions with a complexity of 213.53.
5 citations
Posted Content•
TL;DR: In this article, the authors proposed an improved cryptanalysis of the double-branch hash function standard RIPEMD-160 using a carefully designed non-linear path search tool, and showed that some of these message words can lead to very good differential path candidates.
Abstract: In this article, we propose an improved cryptanalysis of the double-branch hash function standard RIPEMD-160. Using a carefully designed non-linear path search tool, we study the potential differential paths that can be constructed from a difference in a single message word and show that some of these message words can lead to very good differential path candidates. Leveraging the recent freedom degree utilization technique from Landelle and Peyrin to merge two branch instances, we eventually manage to obtain a semi-free-start collision attack for 42 steps of the RIPEMD-160 compression function, while the previously best know result reached 36 steps. In addition, we also describe a 36-step semi-free-start collision attack which starts from the first step.