scispace - formally typeset
Search or ask a question
Author

Florian Mendel

Bio: Florian Mendel is an academic researcher from Infineon Technologies. The author has contributed to research in topics: Hash function & Collision attack. The author has an hindex of 31, co-authored 147 publications receiving 3430 citations. Previous affiliations of Florian Mendel include Katholieke Universiteit Leuven & Graz University of Technology.


Papers
More filters
Book ChapterDOI
13 Jul 2009
TL;DR: The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail.
Abstract: In this work, we propose the rebound attack, a new tool for the cryptanalysis of hash functions. The idea of the rebound attack is to use the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail. The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom, and a subsequent probabilistic outbound phase. Especially on AES based hash functions, the rebound attack leads to new attacks for a surprisingly high number of rounds. We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit hash function Whirlpool with a complexity of 2120 compression function evaluations and negligible memory requirements. The attack can be extended to a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 rounds of the similar hash function Maelstrom. Additionally, we apply the rebound attack to the SHA-3 submission Grostl, which leads to an attack on 6 rounds of the Grostl-256 compression function with a complexity of 2120 and memory requirements of about 264.

282 citations

Journal Article
TL;DR: Grostl is a SHA-3 candidate proposal, an iterated hash function with a compression function built from two fixed, large, distinct permutations, which has the effect that all known, generic attacks on the hash function are made much more difficult.
Abstract: Grostl is a SHA-3 candidate proposal. Grostl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grostl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grostl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grostl. Grostl is a so-called wide-pipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grostl has good performance on a wide range of platforms and counter-measures against side-channel attacks are well-understood from similar work on the AES.

246 citations

Proceedings Article
01 Jan 2009
TL;DR: Grostl as mentioned in this paper is a SHA-3 candidate with a compression function built from two fixed, large, distinct permutations, which are used to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks.
Abstract: Grostl is a SHA-3 candidate proposal. Grostl is an iterated hash function with a compression function built from two �fixed, large, distinct permutations. The design of Grostl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grostl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grostl

184 citations

Book ChapterDOI
02 Dec 2009
TL;DR: This work presents a distinguishing attack on the full compression function of Whirlpool by improving the rebound attack on reducedWhirlpool with two new techniques and shows how to turn this near-collision attack into a distinguishable attack for the full 10 round compression function.
Abstract: Whirlpool is a hash function based on a block cipher that can be seen as a scaled up variant of the AES The main difference is the (compared to AES) extremely conservative key schedule In this work, we present a distinguishing attack on the full compression function of Whirlpool We obtain this result by improving the rebound attack on reduced Whirlpool with two new techniques First, the inbound phase of the rebound attack is extended by up to two rounds using the available degrees of freedom of the key schedule This results in a near-collision attack on 95 rounds of the compression function of Whirlpool with a complexity of 2176 and negligible memory requirements Second, we show how to turn this near-collision attack into a distinguishing attack for the full 10 round compression function of Whirlpool This is the first result on the full Whirlpool compression function

166 citations

Proceedings ArticleDOI
16 Aug 2018
TL;DR: Novel fault attacks that work in the presence of detection-based and infective countermeasures are presented and the attacks exploit the fact that intermediate values leading to “fault-free” ciphertexts show a non-uniform distribution, while they should be distributed uniformly.
Abstract: Since the seminal work of Boneh et al, the threat of fault attacks has been widely known and techniques for fault attacks and countermeasures have been studied extensively The vast majority of the literature on fault attacks focuses on the ability of fault attacks to change an intermediate value to a faulty one, such as differential fault analysis (DFA), collision fault analysis, statistical fault attack (SFA), fault sensitivity analysis, or differential fault intensity analysis (DFIA) The other aspect of faults—that faults can be induced and do not change a value—has been researched far less In case of symmetric ciphers, ineffective fault attacks (IFA) exploit this aspect However, IFA relies on the ability of an attacker to reliably induce reproducible deterministic faults like stuck-at faults on parts of small values (eg, one bit or byte), which is often considered to be impracticableAs a consequence, most countermeasures against fault attacks do not focus on such attacks, but on attacks exploiting changes of intermediate values and usually try to detect such a change (detection-based), or to destroy the exploitable information if a fault happens (infective countermeasures) Such countermeasures implicitly assume that the release of “fault-free” ciphertexts in the presence of a fault-inducing attacker does not reveal any exploitable information In this work, we show that this assumption is not valid and we present novel fault attacks that work in the presence of detection-based and infective countermeasures The attacks exploit the fact that intermediate values leading to “fault-free” ciphertexts show a non-uniform distribution, while they should be distributed uniformly The presented attacks are entirely practical and are demonstrated to work for software implementations of AES and for a hardware co-processor These practical attacks rely on fault induction by means of clock glitches and hence, are achieved using only low-cost equipment This is feasible because our attack is very robust under noisy fault induction attempts and does not require the attacker to model or profile the exact fault effect We target two types of countermeasures as examples: simple time redundancy with comparison and several infective countermeasures However, our attacks can be applied to a wider range of countermeasures and are not restricted to these two countermeasures

116 citations


Cited by
More filters
Journal ArticleDOI

[...]

08 Dec 2001-BMJ
TL;DR: There is, I think, something ethereal about i —the square root of minus one, which seems an odd beast at that time—an intruder hovering on the edge of reality.
Abstract: There is, I think, something ethereal about i —the square root of minus one. I remember first hearing about it at school. It seemed an odd beast at that time—an intruder hovering on the edge of reality. Usually familiarity dulls this sense of the bizarre, but in the case of i it was the reverse: over the years the sense of its surreal nature intensified. It seemed that it was impossible to write mathematics that described the real world in …

33,785 citations

Book ChapterDOI
28 Sep 2011
TL;DR: This work considers the resistance of ciphers, and LED in particular, to related-key attacks, and is able to derive simple yet interesting AES-like security proofs for LED regarding related- or single- key attacks.
Abstract: We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.

848 citations

Journal ArticleDOI
TL;DR: This paper has implemented a proof-of-concept for decentralized energy trading system using blockchain technology, multi-signatures, and anonymous encrypted messaging streams, enabling peers to anonymously negotiate energy prices and securely perform trading transactions.
Abstract: Smart grids equipped with bi-directional communication flow are expected to provide more sophisticated consumption monitoring and energy trading. However, the issues related to the security and privacy of consumption and trading data present serious challenges. In this paper we address the problem of providing transaction security in decentralized smart grid energy trading without reliance on trusted third parties. We have implemented a proof-of-concept for decentralized energy trading system using blockchain technology, multi-signatures, and anonymous encrypted messaging streams, enabling peers to anonymously negotiate energy prices and securely perform trading transactions. We conducted case studies to perform security analysis and performance evaluation within the context of the elicited security and privacy requirements.

837 citations

Book ChapterDOI
04 Dec 2011
TL;DR: This paper presents the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: the first key recovery method for the full AES-128 with computational complexity 2126.1.4 and key recovery methods with lower complexity for the reduced-round versions of AES not considered before.
Abstract: Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: The first key recovery method for the full AES-128 with computational complexity 2126.1. The first key recovery method for the full AES-192 with computational complexity 2189.7. The first key recovery method for the full AES-256 with computational complexity 2254.4. Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9. Preimage search for compression functions based on the full AES versions faster than brute force. In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.

543 citations