Showing papers by "Jean-Philippe Aumasson published in 2008"

SHA-3 proposal BLAKE

Abstract: BLAKE is our proposal for SHA-3. BLAKE entirely relies on previously analyzed components: it uses the HAIFA iteration mode and builds its compression function on the ChaCha core function. BLAKE resists generic second-preimage attacks, length extension, and sidechannel attacks. Theoretical and empirical security guarantees are given, against structural and differential attacks. BLAKE hashes on a Core 2 Duo at 12 cycles/byte, and on a 8-bit PIC microcontroller at 400 cycles/byte. In hardware BLAKE can be implemented in less than 9900 gates, and reaches a throughput of 6 Gbps. FHNW, Windisch, Switzerland, jeanphilippe.aumasson@gmail.com ETHZ, Zurich, Switzerland, henzen@iis.ee.ethz.ch FHNW, Windisch, Switzerland, willi.meier@fhnw.ch Loughborough University, UK, r.phan@lboro.ac.uk

New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba

Abstract: The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis, while ChaCha has not been analyzed yet. We introduce a novel method for differential cryptanalysis of Salsa20 and ChaCha, inspired by correlation attacks and related to the notion of neutral bits. This is the first application of neutral bits in stream cipher cryptanalysis. It allows us to break the 256-bit version of Salsa20/8, to bring faster attacks on the 7-round variant, and to break 6- and 7-round ChaCha. In a second part, we analyze the compression function Rumba, built as the XOR of four Salsa20 instances and returning a 512-bit output. We find collision and preimage attacks for two simplified variants, then we discuss differential attacks on the original version, and exploit a high-probability differential to reduce complexity of collision search from 2256to 279for 3-round Rumba. To prove the correctness of our approach we provide examples of collisions and near-collisions on simplified versions.

The Hash Function Family LAKE

Abstract: This paper advocates a new hash function family based on the HAIFA framework, inheriting built-in randomized hashing and higher security guarantees than the Merkle-Damgard construction against generic attacks. The family has as its special design features: a nested feedforward mechanism and an internal wide-pipe construction within the compression function. As examples, we give two proposed instances that compute 256- and 512-bit digests, with a 8- and 10-round compression function respectively.

Faster Multicollisions

Abstract: Joux’s multicollision attack is one of the most striking results on hash functions and also one of the simplest: it computes a kcollision on iterated hashes in time [log2 k&]·2n/2, whereas k!1/k ·2n(k−1)/k was thought to be optimal. Kelsey and Schneier improved this to 3 · 2n/2 if storage 2n/2 is available and if the compression functions admits easily found fixed-points. This paper presents a simple technique that reduces this cost to 2n/2 and negligible memory, when the IV can be chosen by the attacker. Additional benefits are shorter messages than the Kelsey/Schneier attack and cost-optimality.

How (not) to efficiently dither blockcipher-based hash functions?

Abstract: In the context of iterated hash functions, "dithering" designates the technique of adding an iteration-dependent input to the compression function in order to defeat certain generic attacks. The purpose of this paper is to identify methods for dithering blockcipher-based hash functions that provide security bounds and efficiency, contrary to the previous proposals. We considered 56 different constructions, based on the 12 secure PGV schemes. Proofs are given in the blackbox model that 12 of them preserve the bounds on collision and inversion resistance given by Black et al. These 12 schemes avoid the need for short dither values, induce negligible extra-computation, and achieve security independent of the dither sequence used.We also identify 8 schemes that lead to strong compression functions but potentially insecure hash functions. Application of our results can be considered to popular hash functions like SHA-1 or Whirlpool.

Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5

Abstract: This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2224 compression function evaluations instead of 2256. We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 296 trials instead of 2128. Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected.

Inside the Hypercube.

Abstract: Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The submissions to NIST recommends r = 8, b = 1, and h ∈ {224, 256, 384, 512}. This paper presents the first external analysis of CubeHash, with • improved standard generic attacks for collisions and preimages • a multicollision attack that exploits fixed points • a study of the round function symmetries • a preimage attack that exploits these symmetries • a practical collision attack on a weakened version of CubeHash • a study of fixed points and an example of nontrivial fixed point • high-probability truncated differentials over 10 rounds Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parameters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions.

Next generation networks: Human-aided and privacy-driven

Abstract: New generation networks (NGNs) deployed in the next fire to ten years will integrate a myriad of underlying network technologies into a common internet protocol (IP) backbone. We put forward two theses on how NGNs will evolve based on recent trends in increasing ubiquity and the need for increased security. We assert that NGNs will be increasingly human- aided and privacy-driven. We discuss how these points are inter-related, and then we culminate this paper with a model that allows formal analysis of network privacy, including the tracing of entities.

Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5.

Abstract: This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2 compression function evaluations instead of 2. We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 2 trials instead of 2. Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected.