Showing papers by "Jean-Philippe Aumasson published in 2010"

QUARK: a lightweight hash

Abstract: The need for lightweight cryptographic hash functions has been repeatedly expressed by application designers, notably for implementing RFID protocols. However not many designs are available, and the ongoing SHA-3 Competition probably won't help, as it concerns general-purpose designs and focuses on software performance. In this paper, we thus propose a novel design philosophy for lightweight hash functions, based on a single security level and on the sponge construction, to minimize memory requirements. Inspired by the lightweight ciphers Grain and KATAN, we present the hash function family QUARK, composed of the three instances U-QUARK, D-QUARK, and T-QUARK. Hardware benchmarks show that QUARK compares well to previous lightweight hashes. For example, our lightest instance U-QUARK conjecturally provides at least 64-bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gate-equivalents, and consumes in average 2.44 µW at 100 kHz in 0.18 µm ASIC. For 112- bit security, we propose T-QUARK, which we implemented with 2296 gate-equivalents.

Differential and invertibility properties of BLAKE

Abstract: BLAKE is a hash function selected by NIST as one of the 14 second round candidates for the SHA-3 Competition. In this paper, we follow a bottom-up approach to exhibit properties of BLAKE and of its building blocks: based on differential properties of the internal function G, we show that a round of BLAKE is a permutation on the message space, and present an efficient inversion algorithm. For 1.5 rounds we present an algorithm that finds preimages faster than in previous attacks. Discovered properties lead us to describe large classes of impossible differentials for two rounds of BLAKE's internal permutation, and particular impossible differentials for five and six rounds, respectively for BLAKE-32 and BLAKE-64. Then, using a linear and rotation-free model, we describe near-collisions for four rounds of the compression function.

Distinguishers for the compression function and output transformation of hamsi-256

Abstract: Hamsi is one of 14 remaining candidates in NIST's Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsi's resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distinguishers for its full (6-round) finalization function, indicating that Hamsi's building blocks do not behave ideally.

Cryptanalysis of ESSENCE

Abstract: ESSENCE is a hash function submitted to the NIST Hash Competition that stands out as a hardware-friendly and highly parallelizable design. Previous analysis showed some non-randomness in the compression function which could not be extended to an attack on the hash function and ESSENCE remained unbroken. Preliminary analysis in its documentation argues that it resists standard differential cryptanalysis. This paper disproves this claim, showing that advanced techniques can be used to significantly reduce the cost of such attacks: using a manually found differential characteristic and an advanced search algorithm, we obtain collision attacks on the full ESSENCE-256 and ESSENCE- 512, with respective complexities 267.4 and 2134.7. In addition, we show how to use these attacks to forge valid (message, MAC) pairs for HMAC-ESSENCE-256 and HMAC-ESSENCE-512, essentially at the same cost as a collision.

Differential and invertibility properties of BLAKE (full version)

Abstract: BLAKE is a hash function selected by NIST as one of the 14 second round candidates for the SHA-3 Competition. In this paper, we follow a bottom-up approach to exhibit properties of BLAKE and of its building blocks: based on differential properties of the internal function G, we show that a round of BLAKE is a permutation on the message space, and present an efficient inversion algorithm. For 1.5 rounds we present an algorithm that finds preimages faster than in previous attacks. Discovered properties lead us to describe large classes of impossible differentials for two rounds of BLAKE's internal permutation, and particular impossible differentials for five and six rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear and rotation-free model, we describe near-collisions for four rounds of the compression function. Finally, we discuss the problem of establishing upper bounds on the probability of differential characteristics for BLAKE. Contribution of this paper. We establish differential properties of the permutation used in the com- pression function of BLAKE and investigate invertibility of one and more rounds. Following a bottom-up approach, we first state differential properties of the core function G. We exploit them to show injectivity of one round of the permutation with respect to the message space. We derive explicit input-output equations for G, which yield an efficient algorithm to invert one round and an improved algorithm to find a preimage ∗ Full version of paper presented at FSE 2010. Supported in part by European Commission through the ICT

Cryptanalysis of splay tree based encryption.

Abstract: We present a chosen-plaintext attack on KIST, a recently proposed encryption scheme based on splay trees. Our attack recovers a 128-bit key with approximately 2 bit operations and fewer than 2 chosen-plaintext queries. Splay trees are a type of binary search search trees discovered by Sleator and Tarjan in 1983 [1, 2]. Splay trees are self-adjusting, in the sense that a tree modifies itself at each access to a node—the modification being called “splaying”. In 1988, Jones proposed [3] a simplification of splay trees to compress data, and proposed to use splay trees to encrypt data using a similar method with as key a secret initial tree. The (rather old) word processor Lotus Ami Pro included a basic, deliberately insecure, version of splay tree based encryption to allow export [4]. As the basic version of splay tree based encryption is insecure, Jones proposed [5] two techniques to strengthen that scheme. Recently, Wei and Zeng argued [6] that Jones’ strengthened schemes are also insecure, and proposed a new encryption scheme based on splay trees, called KIST. Below we describe a chosen-plaintext attack for that new scheme. We refer to [6] for a description of KIST. Our attack is based on the following observations: • By doing 256 chosen-plaintext encryption queries with the bytes 0, 1, . . . , 255, one can determine the initial shape of the tree (that is, after initialization) and the value of its leaves, since the encoding of each byte gives the position of that byte (as a leaf) within the tree. • Generalizing the above technique, one can determine the shape of the tree after encrypting any sequence of bytes, in 2 chosen-plaintext queries. Note that one does not recover the labels of the inner nodes, but only those of the leaves. • Given the shape of the tree before and after a key injection step, one can determine the two inner nodes swapped, i.e., the j such that xj = Ki+16 = Ki ⊕ xk. One can also determine k, as it is the parent of the (known) last plaintext byte processed. If the parameter N is not maximal, then one can detect when no nodes were swapped (since key injection must change the position of at least two leaves). • Each subkey word Ki, i ≥ 17, has its jth bit, 1 ≤ j ≤ 8, depending only on the jth bit of K((i−1) mod 16)+1 and on the jth bits of at most b(i − 1)/16c inner node labels. Moreover, the dependencies are fully XOR-linear. • A (semi-rotation) splaying does not depend on the value of the inner nodes, but only on the shape of the tree. Given an initial tree shape and an encrypted byte, one can thus determine the new shape of the tree by making a sequence of semi-rotations. The proposed attack goes as follows: 1. Determine the initial shape of the tree, by doing 256 chosen-plaintext queries. 2. Assign arbitrary labels x1, . . . , x255 to each of the inner nodes. 3. Set m← λ (i.e., the empty message). 4. Initialize the equations counter c← 1. 5. Initialize the loops counter i← 1. 6. While c < 255 + 16 do (a) Select an arbitrary byte si. (b) Set m← m‖si. (c) Determine the shape of the tree after encrypting m, by doing 256 chosen-plaintext queries of the form m‖b, where b = 0, 1, . . . , 255. (d) Compare the shape obtained with the shape of the previous tree after splaying around si. If the trees are distinct (that is, key injection modified the tree), then i. Determine j and k such that the node xj = Ki⊕xk is used for key injection, and add this equation to the system of equations. ii. Set c← 1 + c. (e) Set i← 1 + i. 7. Simplify the system of equations by replacing Ki+16, i ≥ 1 by an XOR between K((i−1) mod 16)+1 and labels of inner nodes, as defined by the key generation and by the equations collected. 8. For each bit slice, solve the linear system of equations with as unknown the bits of K1, . . . , K16 and of the inner nodes’ labels, at a given position. The complexity of the attack depends on the parameter N , which determines the frequency of a key injection and thus the number of iterations of the “while” loop. If N is maximal a new equation is obtained at each loop (and so c = i). One thus has to determine 272 tree shapes, where each one costs at most 2 chosen-plaintext queries. About 2 chosenplaintext queries are thus necessary to collect enough equations when N is maximal. The analysis in [6] suggests that N should be such that at least 20 % of the key injections are effective. In this case, one will need approximately 1+5×(255+16) = 1356 tree shapes. One thus needs about 2 chosen-plaintext queries. In both cases, solving the linear systems costs about 8 × 271 ≈ 2 bit operations. Slightly more than 255 + 16 equations may be necessary, to deal with linearly dependent equations. For the 7-bit version proposed in [6, §4], solving the linear systems costs about 7× (127 + 16) ≈ 2 bit operations.