Somitra Kumar Sanadhya

Bio: Somitra Kumar Sanadhya is an academic researcher from Indian Institute of Technology Ropar. The author has contributed to research in topics: Hash function & SHA-2. The author has an hindex of 13, co-authored 91 publications receiving 649 citations. Previous affiliations of Somitra Kumar Sanadhya include Indian Institute of Technology, Jodhpur & Indian Statistical Institute.

FPGA-Based True Random Number Generation Using Programmable Delays in Oscillator-Rings

Abstract: True random number generators (TRNGs) play a fundamental role in cryptographic systems. This brief presents a new and efficient method to generate true random numbers on field programmable gate array (FPGA) by utilizing the random jitter of free-running oscillators as a source of randomness. The free-running oscillator rings incorporate programmable delay lines (PDLs) to generate large variation of the oscillations and to introduce jitter in the generated ring oscillators clocks. The main advantage of the proposed TRNG utilizing PDLs is to reduce correlation between several equal length oscillator rings, and thus improve the randomness qualities. In addition, a Von Neumann corrector as post-processor is employed to remove any bias in the output bit sequence. The validation of the proposed approach is demonstrated on Xilinx Spartan-3A FPGAs. The proposed TRNG occupies 528 slices, achieves 6 Mb/s throughput with 0.999 per bit entropy rate, and passes all the national institute of standards and technology (NIST) statistical tests.

New Collision Attacks against Up to 24-Step SHA-2

Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24-step SHA-256 attacks are respectively 211.5 and 228.5 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 216.5 and 232.5 calls. Using a look-up table having 232 (resp. 264) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 215.5 (resp. 222.5) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE '08. The reported computational efforts are 218 and 228.5 for 23 and 24-step SHA-256 respectively and 243.9 and 253 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

New Collision attacks Against Up To 24-step SHA-2.

Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP ’08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24step SHA-256 attacks are respectively 2 and 2 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 2 and 2 calls. Using a look-up table having 2 (resp. 2) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 2 (resp. 2) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE ’08. The reported computational efforts are 2 and 2 for 23 and 24-step SHA-256 respectively and 2 and 2 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

Cryptanalysis of SIMON Variants with Connections

Abstract: SIMON is a family of 10 lightweight block ciphers published by Beaulieu et al. from the United States National Security Agency (NSA). A cipher in this family with \(K\)-bit key and \(N\)-bit block is called SIMON\({N}/{K}\). We present several linear characteristics for reduced-round SIMON32/64 that can be used for a key-recovery attack and extend them further to attack other variants of SIMON. Moreover, we provide results of key recovery analysis using several impossible differential characteristics starting from 14 out of 32 rounds for SIMON32/64 to 22 out of 72 rounds for SIMON128/256. In some cases the presented observations do not directly yield an attack, but provide a basis for further analysis for the specific SIMON variant. Finally, we exploit a connection between linear and differential characteristics for SIMON to construct linear characteristics for different variants of reduced-round SIMON. Our attacks extend to all variants of SIMON covering more rounds compared to any known results using linear cryptanalysis. We present a key recovery attack against SIMON128/256 which covers 35 out of 72 rounds with data complexity \(2^{123}\). We have implemented our attacks for small scale variants of SIMON and our experiments confirm the theoretical bias presented in this work.

Differential Fault Analysis of SHA-3

Abstract: In this paper we present the first differential fault analysis DFA of SHA-3. This attack can recover the internal state of two versions of SHA-3 namely, SHA3-512 and SHA3-384 and can be used to forge MAC's which are using these versions of SHA-3. Assuming that the attacker can inject a random single bit fault on the intermediate state of the hash computation, and given the output of the SHA-3 version for a correct message and 80 faulty messages, we can extract 1592 out of the 1600 bits of the compression function's internal state. To the best of our knowledge, this is the first public analysis of SHA-3 against DFA. Although our results do not compromise any security claim of SHA-3, it shows the feasibility of DFA on this scheme and possibly other Sponge based MACs and increases our understanding of SHA-3.

The SIMON and SPECK lightweight block ciphers

Abstract: The Simon and Speck families of block ciphers were designed specifically to offer security on constrained devices, where simplicity of design is crucial. However, the intended use cases are diverse and demand flexibility in implementation. Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design. This paper outlines how these goals were balanced in the design of Simon and Speck.

The Skein Hash Function Family

Abstract: Executive Summary Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity , and a great deal of flexibility in a modular package that is easy to analyze. Skein is fast. Skein-512—our primary proposal—hashes data at 6.1 clock cycles per byte on a 64-bit CPU. This means that on a 3.1 GHz x64 Core 2 Duo CPU, Skein hashes data at 500 MBytes/second per core—almost twice as fast as SHA-512 and three times faster than SHA-256. An optional hash-tree mode speeds up parallelizable implementations even more. Skein is fast for short messages, too; Skein-512 hashes short messages in about 1000 clock cycles. Skein is secure. Its conservative design is based on the Threefish block cipher. The current best attack on the tweaked Threefish-512 is on 35 of 72 rounds, for a safety factor of just over 2.0. For comparison, at a similar stage in the standardization process, the AES encryption algorithm had an attack on 6 of 10 rounds, for a safety factor of only 1.7. Additionally, Skein has a number of provably secure properties, greatly increasing confidence in the algorithm. Skein is simple. Using only three primitive operations, the Skein compression function can be easily understood and remembered. The rest of the algorithm is a straightforward iteration of this function. Skein is flexible. Skein is defined for three different internal state sizes—256 bits, 512 bits, and 1024 bits—and any output size. This allows Skein to be a drop-in replacement for the entire SHA family of hash functions. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: PRNG, stream cipher, key derivation function, authentication without the overhead of HMAC, and personalization capability. All these features can be implemented with very low overhead. Together with the Threefish large-block cipher at Skein's core, this design provides a full set of symmetric cryptographic primitives suitable for most modern applications. Skein is efficient on a variety of platforms, both hardware and software. Skein-512 can be implemented in about 200 bytes of state. Small devices, such as 8-bit smart cards, can implement Skein-256 using about 100 bytes of memory. Larger devices can implement the larger versions of Skein to achieve faster speeds. Skein was designed by a team of highly experienced cryptographic experts from academia and industry , with expertise in cryptography, security analysis, software, chip design, and …

Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers

Abstract: We propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry respectively. In one method, inequalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all possible differential patterns of the S-box. For the second method, we develop a greedy algorithm for selecting a given number of inequalities from the convex hull. Using these inequalities combined with Mixed-integer Linear Programming (MILP) technique, we propose an automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attack with several techniques for obtaining tighter security bounds, and a new tool for finding (related-key) differential characteristics automatically for bit-oriented block ciphers.

SIMON and SPECK: Block Ciphers for the Internet of Things.

Abstract: The U.S. National Security Agency (NSA) developed the Simon and Speck families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable. This paper summarizes the algorithms, their design rationale, along with current cryptanalysis and implementation results.

Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process

Abstract: The National Institute of Standards and Technology is in the process of selecting one or more public-key cryptographic algorithms through a public competition-like process. The new publickey cryptography standards will specify one or more additional digital signature, public-key encryption, and key-establishment algorithms to augment FIPS 186-4, Digital Signature Standard (DSS), as well as special publications SP 800-56A Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, and SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization. It is intended that these algorithms will be capable of protecting sensitive information well into the foreseeable future, including after the advent of quantum computers. In November 2017, 82 candidate algorithms were submitted to NIST for consideration. Among these, 69 met both the minimum acceptance criteria and our submission requirements, and were accepted as First-Round Candidates on Dec. 20, 2017, marking the beginning of the First Round of the NIST Post-Quantum Cryptography Standardization Process. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 26 candidate algorithms announced on January 30, 2019 for moving forward to the second round of the competition. The 17 Second-Round Candidate public-key encryption and key-establishment algorithms are BIKE, Classic McEliece, CRYSTALS-KYBER, FrodoKEM, HQC, LAC, LEDAcrypt (merger of LEDAkem/LEDApkc), NewHope, NTRU (merger of NTRUEncrypt/NTRU-HRSS-KEM), NTRU Prime, NTS-KEM, ROLLO (merger of LAKE/LOCKER/Ouroboros-R), Round5 (merger of Hila5/Round2), RQC, SABER, SIKE, and Three Bears. The 9 Second-Round Candidates for digital signatures are CRYSTALS-DILITHIUM, FALCON, GeMSS, LUOV, MQDSS, Picnic, qTESLA, Rainbow, and SPHINCS+.