Showing papers by "Florian Mendel published in 2016"

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes

Abstract: Since the first demonstration of fault attacks by Boneh et al. on RSA, a multitude of fault attack techniques on various cryptosystems have been proposed. Most of these techniques, like Differential Fault Analysis, Safe Error Attacks, and Collision Fault Analysis, have the requirement to process two inputs that are either identical or related, in order to generate pairs of correct/faulty ciphertexts. However, when targeting authenticated encryption schemes, this is in practice usually precluded by the unique nonce required by most of these schemes.

Related-Key Impossible-Differential Attack on Reduced-Round SKINNY.

Abstract: At CRYPTO’16, Beierle et al. presented SKINNY, a family of lightweight tweakable block ciphers intended to compete with the NSA designs SIMON and SPECK. SKINNY can be implemented efficiently in both soft- and hardware and supports block sizes of 64 and 128 bits as well as tweakey sizes of 64, 128, 192 and 128, 256, 384 bits respectively. This paper presents a related-tweakey impossible-differential attack on up to 23 (out of 36) rounds of SKINNY-64/128 for different tweak sizes. All our attacks can be trivially extended to SKINNY-128/128.

Square Attack on 7-Round Kiasu-BC

Abstract: Kiasu-BC is a tweakable block cipher presented within the TWEAKEY framework at AsiaCrypt 2014. Kiasu-BC is almost identical to AES-128, the only difference to AES-128 is the tweak addition, where the 64-bit tweak is xored to the first two rows of every round-key. The security analysis of the designers focuses primarily on related-key related-tweak differential characteristics and meet-in-the-middle attacks. For other attacks, they conclude that the security level of Kiasu-BC is similar to AES-128. In this work, we provide the first third-party analysis of Kiasu-BC. We show that we can mount Square attacks on up to 7-round Kiasu-BC with a complexity of about \(2^{48.5}\) encryptions, which improves upon the best published 7-round attacks for AES-128. Furthermore, we show that such attacks are applicable to the round-reduced \(\Theta \)CB3-like mode of the CAESAR candidate Kiasu. To be specific, we show a key-recovery attack on 7-round Kiasu\( e \) with a complexity of about \(2^{82}\) encryptions.

Improved Rebound Attacks on AESQ: Core Permutation of CAESAR Candidate PAEQ

Abstract: In this paper, we present improved rebound attacks against AESQ permutation that is an underlying permutation of PAEQ authenticated encryption scheme currently discussed in the second round of the CAESAR competition. AESQ is an AES-based permutation. Designers claim that no attack should be found with complexity upi¾?to $$2^{256}$$ and they have shown a rebound attack against 12 out of 20 rounds with $$2^{256}$$ computational cost and $$2^{256}$$ memory. In this paper, we present the first third-party cryptanalysis on AESQ. First, we reduce the complexity of the 12-round attack to $$2^{128}$$ computational cost and negligible memory. We then extend the number of rounds and present a 16-round attack with $$2^{192}$$ computational cost and $$2^{128}$$ memory. Moreover, we discuss time-memory tradeoffs and multiple limited birthday distinguishers. In particular, the time-memory tradeoff is useful for the 12-round attack, which allows us to balance the time and memory complexities to $$2^{102.4}$$.

Cryptanalysis of Simpira v1

Abstract: Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers’ security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity \(2^{82.62}\) for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity \(2^{110.16}\) for 16 rounds and the full 512-bit hash value. These attacks violate the designers’ security claims that there are no structural distinguishers with complexity below \(2^{128}\).

Cryptanalysis of Reduced NORX

Abstract: NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 out of 4 rounds. The time and data complexities of the attack for NORX32 are $$2^{119}$$ and $$ 2^{66} $$ respectively, and for NORX64 are $$ 2^{234} $$ and $$ 2^{132} $$ respectively, while the memory complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are $$2^{7.3}$$, $$2^{124.3}$$ and $$2^{115}$$ respectively and for NORX64 are $$2^{6.2}$$, $$2^{232.8}$$ and $$2^{225}$$ respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.

Analysis of the Kupyna-256 Hash Function

Abstract: The hash function Kupyna was recently published as the Ukrainian standard DSTU 7564:2014. It is structurally very similar to the SHA-3 finalist GrOstl, but differs in details of the round transformations. Most notably, some of the round constants are added with a modular addition, rather than bitwise xor. This change prevents a straightforward application of some recent attacks, in particular of the rebound attacks on the compression function of similar AES-like hash constructions. However, we show that it is actually possible to mount rebound attacks, despite the presence of modular constant additions. More specifically, we describe collision attacks on the compression function for 6 out of 10 rounds of Kupyna-256 with an attack complexity of $$2^{70}$$, and for 7 rounds with complexity $$2^{125.8}$$. In addition, we can use the rebound attack for creating collisions for the round-reduced hash function itself. This is possible for 4 rounds of Kupyna-256 with complexity $$2^{67}$$ and for 5 rounds with complexity $$2^{120}$$.

Cryptanalysis of Simpira.

Abstract: Simpira is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity 2 for the recommended full 15 rounds (truncated 256-bit hash value), and complexity 2 for 16 rounds (full 512-bit hash value). These attacks violate the designers’ security claims that there are no structural distinguishers below 2.

Side-Channel Analysis of Keymill.

Abstract: One prominent countermeasure against side-channel attacks, especially differential power analysis (DPA), is fresh re-keying. In such schemes, the so-called re-keying function takes the burden of protecting a cryptographic primitive against DPA. To ensure the security of the scheme against side-channel analysis, the re-keying function has to withstand both simple power analysis (SPA) and differential power analysis (DPA). Recently, at SAC 2016, Taha et al. proposed Keymill, a side-channel resilient key generator (or re-keying function), which is claimed to be inherently secure against side-channel attacks. In this work, however, we present a DPA attack on Keymill, which is based on the dynamic power consumption of a digital circuit that is tied to the \(0\rightarrow 1\) and \(1\rightarrow 0\) switches of its logical gates. Hence, the power consumption of the shift-registers used in Keymill depends on the \(0\rightarrow 1\) and \(1\rightarrow 0\) switches of its internal state. This information is sufficient to obtain the internal differential pattern (up to a small number of bits, which have to be brute-forced) of the 4 shift-registers of Keymill after the nonce has been absorbed. This leads to a practical key-recovery attack on Keymill.

Analysis of SHA-512/224 and SHA-512/256.

Abstract: In 2012, NIST standardized SHA-512/224 and SHA-512/256, two truncated variants of SHA-512, in FIPS 180-4. These two hash functions are faster than SHA-224 and SHA-256 on 64-bit platforms, while maintaining the same hash size and claimed security level. So far, no third-party analysis of SHA-512/224 or SHA-512/256 has been published. In this work, we examine the collision resistance of step-reduced versions of SHA-512/224 and SHA-512/256 by using differential cryptanalysis in combination with sophisticated search tools. We are able to generate practical examples of free-start collisions for 44-step SHA-512/224 and 43-step SHA-512/256. Thus, the truncation performed by these variants on their larger state allows us to attack several more rounds compared to the untruncated family members. In addition, we improve upon the best published collisions for 24-step SHA-512 and present practical collisions for 27 steps of SHA-512/224, SHA-512/256, and SHA-512.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes

Abstract: Since the first demonstration of fault attacks by Boneh et al. on RSA, a multitude of fault attack techniques on various cryptosystems have been proposed. Most of these techniques, like Differential Fault Analysis, Safe Error Attacks, and Collision Fault Analysis, have the requirement to process two inputs that are either identical or related, in order to generate pairs of correct/faulty ciphertexts. However, when targeting authenticated encryption schemes, this is in practice usually precluded by the unique nonce required by most of these schemes.

Cryptanalysis of Simpira v1

Abstract: Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommenda- tions for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers' security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide dierential trails with only 40 (instead of 75) active S-boxes for the recom- mended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity 2 82:62 for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity 2 110:16 for 16 rounds and the full 512-bit hash value. These attacks violate the designers' security claims that there are no structural distinguishers with complexity below 2 128 .