Author
Florian Mendel
Other affiliations: Katholieke Universiteit Leuven, Graz University of Technology
Bio: Florian Mendel is an academic researcher from Infineon Technologies. The author has contributed to research in topics: Hash function & Collision attack. The author has an hindex of 31, co-authored 147 publications receiving 3430 citations. Previous affiliations of Florian Mendel include Katholieke Universiteit Leuven & Graz University of Technology.
Papers
More filters
Posted Content•
01 Jan 2016TL;DR: In this article, the authors show that the underlying assumptions of independence, and thus the derived bounds, are incorrect, and they provide dierential trails with only 40 (instead of 75) active S-boxes for the recom- mended 15 rounds.
Abstract: Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommenda- tions for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers' security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide dierential trails with only 40 (instead of 75) active S-boxes for the recom- mended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity 2 82:62 for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity 2 110:16 for 16 rounds and the full 512-bit hash value. These attacks violate the designers' security claims that there are no structural distinguishers with complexity below 2 128 .
Posted Content•
TL;DR: In this paper, a heuristic search tool is presented for finding linear characteristics even for primitives with a relatively large state, and without a strongly aligned structure, and applied the presented tool on the underlying permutations of the first round CAESAR candidates Ascon, ICEPOLE, Keyak, Minalpher and Prost.
Abstract: Differential and linear cryptanalysis are the general purpose tools to analyze various cryptographic primitives. Both techniques have in common that they rely on the existence of good differential or linear characteristics. The difficulty of finding such characteristics depends on the primitive. For instance, AES is designed to be resistant against differential and linear attacks and therefore, provides upper bounds on the probability of possible linear characteristics. On the other hand, we have primitives like SHA-1, SHA-2, and Keccak, where finding good and useful characteristics is an open problem. This becomes particularly interesting when considering, for example, competitions like CAESAR. In such competitions, many cryptographic primitives are waiting for analysis. Without suitable automatic tools, this is a virtually infeasible job. In recent years, various tools have been introduced to search for characteristics. The majority of these only deal with differential characteristics. In this work, we present a heuristic search tool which is capable of finding linear characteristics even for primitives with a relatively large state, and without a strongly aligned structure. As a proof of concept, we apply the presented tool on the underlying permutations of the first round CAESAR candidates Ascon, ICEPOLE, Keyak, Minalpher and Prost.
Cited by
More filters
[...]
TL;DR: There is, I think, something ethereal about i —the square root of minus one, which seems an odd beast at that time—an intruder hovering on the edge of reality.
Abstract: There is, I think, something ethereal about i —the square root of minus one. I remember first hearing about it at school. It seemed an odd beast at that time—an intruder hovering on the edge of reality.
Usually familiarity dulls this sense of the bizarre, but in the case of i it was the reverse: over the years the sense of its surreal nature intensified. It seemed that it was impossible to write mathematics that described the real world in …
33,785 citations
2,687 citations
[...]
TL;DR: This work considers the resistance of ciphers, and LED in particular, to related-key attacks, and is able to derive simple yet interesting AES-like security proofs for LED regarding related- or single- key attacks.
Abstract: We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.
848 citations
TL;DR: This paper has implemented a proof-of-concept for decentralized energy trading system using blockchain technology, multi-signatures, and anonymous encrypted messaging streams, enabling peers to anonymously negotiate energy prices and securely perform trading transactions.
Abstract: Smart grids equipped with bi-directional communication flow are expected to provide more sophisticated consumption monitoring and energy trading. However, the issues related to the security and privacy of consumption and trading data present serious challenges. In this paper we address the problem of providing transaction security in decentralized smart grid energy trading without reliance on trusted third parties. We have implemented a proof-of-concept for decentralized energy trading system using blockchain technology, multi-signatures, and anonymous encrypted messaging streams, enabling peers to anonymously negotiate energy prices and securely perform trading transactions. We conducted case studies to perform security analysis and performance evaluation within the context of the elicited security and privacy requirements.
837 citations
04 Dec 2011
TL;DR: This paper presents the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: the first key recovery method for the full AES-128 with computational complexity 2126.1.4 and key recovery methods with lower complexity for the reduced-round versions of AES not considered before.
Abstract: Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results:
The first key recovery method for the full AES-128 with computational complexity 2126.1.
The first key recovery method for the full AES-192 with computational complexity 2189.7.
The first key recovery method for the full AES-256 with computational complexity 2254.4.
Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9.
Preimage search for compression functions based on the full AES versions faster than brute force.
In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.
543 citations