National Institute of Standards and Technology における超伝導研究及び生活

Smart grids equipped with bi-directional communication flow are expected to provide more sophisticated consumption monitoring and energy trading. However, the issues related to the security and privacy of consumption and trading data present serious challenges. In this paper we address the problem of providing transaction security in decentralized smart grid energy trading without reliance on trusted third parties. We have implemented a proof-of-concept for decentralized energy trading system using blockchain technology, multi-signatures, and anonymous encrypted messaging streams, enabling peers to anonymously negotiate energy prices and securely perform trading transactions. We conducted case studies to perform security analysis and performance evaluation within the context of the elicited security and privacy requirements.

Security and Privacy in Decentralized Energy Trading Through Multi-Signatures, Blockchain and Anonymous Messaging Streams

Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results:

 

The first key recovery method for the full AES-128 with computational complexity 2126.1.

The first key recovery method for the full AES-192 with computational complexity 2189.7.

The first key recovery method for the full AES-256 with computational complexity 2254.4.

Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9.

Preimage search for compression functions based on the full AES versions faster than brute force.

In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.

/pdf/biclique-cryptanalysis-of-the-full-aes-pi8uwf8n7d.pdf

Biclique cryptanalysis of the full AES

We present a new tweakable block cipher family SKINNY, whose goal is to compete with NSA recent design SIMON in terms of hardware/software performances, while proving in addition much stronger security guarantees with regards to differential/linear attacks. In particular, unlike SIMON, we are able to provide strong bounds for all versions, and not only in the single-key model, but also in the related-key or related-tweak model. SKINNY has flexible block/key/tweak sizes and can also benefit from very efficient threshold implementations for side-channel protection. Regarding performances, it outperforms all known ciphers for ASIC round-based implementations, while still reaching an extremely small area for serial implementations and a very good efficiency for software and micro-controllers implementations SKINNY has the smallest total number of AND/OR/XOR gates used for encryption process.

Secondly, we present MANTIS, a dedicated variant of SKINNY for low-latency implementations, that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption. MANTIS basically reuses well understood, previously studied, known components. Yet, by putting those components together in a new fashion, we obtain a competitive cipher to PRINCE in latency and area, while being enhanced with a tweak input.

/pdf/the-skinny-family-of-block-ciphers-and-its-low-latency-12yjnnzi8w.pdf

The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS

We propose a new 64-bit blockcipher Piccolo supporting 80 and 128-bit keys Adopting several novel design and implementation techniques, Piccolo achieves both high security and notably compact implementation in hardware We show that Piccolo offers a sufficient security level against known analyses including recent related-key differential attacks and meet-in-the-middle attacks In our smallest implementation, the hardware requirements for the 80 and the 128-bit key mode are only 683 and 758 gate equivalents, respectively Moreover, Piccolo requires only 60 additional gate equivalents to support the decryption function due to its involution structure Furthermore, its efficiency on the energy consumption which is evaluated by energy per bit is also remarkable Thus, Piccolo is one of the competitive ultra-lightweight blockciphers which are suitable for extremely constrained environments such as RFID tags and sensor nodes

/pdf/piccolo-an-ultra-lightweight-blockcipher-1vh23tr717.pdf

Piccolo: an ultra-lightweight blockcipher

In this article, we revisit the design strategy of PRESENT, leveraging all the advances provided by the research community in construction and cryptanalysis since its publication, to push the design up to its limits. We obtain an improved version, named GIFT, that provides a much increased efficiency in all domains (smaller and faster), while correcting the well-known weakness of PRESENT with regards to linear hulls.

GIFT : A Small Present

In this paper, we present the first cryptographic preimage attack on the full MD5 hash function. This attack, with a complexity of 2116.9, generates a pseudo-preimage of MD5 and, with a complexity of 2123.4, generates a preimage of MD5. The memory complexity of the attack is 245 ×11 words. Our attack is based on splice-and-cut and local-collision techniques that have been applied to step-reduced MD5 and other hash functions. We first generalize and improve these techniques so that they can be more efficiently applied to many hash functions whose message expansions are a permutation of message-word order in each round. We then apply these techniques to MD5 and optimize the attack by considering the details of MD5 structure.

/pdf/finding-preimages-in-full-md5-faster-than-exhaustive-search-4cjosl6px4.pdf

Finding Preimages in Full MD5 Faster Than Exhaustive Search

This paper shows preimage attacks on one-block MD4 and MD5 reduced to 63 (out of 64) steps. Our attacks are based on the meet-in-the-middle attack, and many additional improvements make the preimage computable faster than that of the brute-force attack, 2128 hash computation. A preimage of one-block MD4 can be computed in the complexity of the 2107 MD4 compression function computation, and a preimage of MD5 reduced to 63 steps can be computed in the complexity of the 2121 MD5 compression function computation. Moreover, we optimize the computational order of the brute-force attack against MD5, and a preimage of full-round MD5 can be computed in the complexity of the 2127 MD5 compression function computation.

/pdf/preimage-attacks-on-one-block-md4-63-step-md5-and-more-4cvhg5k7ld.pdf

Preimage Attacks on One-Block MD4, 63-Step MD5 and More

Preimage resistance of several hash functions has already been broken by the meet-in-the-middle attacks and they utilize a property that their message schedules consist of only permutations of message words. It is unclear whether this type of attacks is applicable to a hash function whose message schedule does not consist of permutations of message words. This paper proposes new attacks against reduced SHA-0 and SHA-1 hash functions by analyzing a message schedule that does not consist of permutations but linear combinations of message words. The newly developed cryptanalytic techniques enable the meet-in-the-middle attack to be applied to reduced SHA-0 and SHA-1 hash functions. The attacks find preimages of SHA-0 and SHA-1 in 2156.6 and 2159.3 compression function computations up to 52 and 48 steps, respectively, compared to the brute-force attack, which requires 2160 compression function computations. The previous best attacks find preimages up to 49 and 44 steps, respectively.

/pdf/meet-in-the-middle-preimage-attacks-against-reduced-sha-0-1vta03pzby.pdf

Yu Sasaki

Papers

The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS

GIFT : A Small Present

Finding Preimages in Full MD5 Faster Than Exhaustive Search

Preimage Attacks on One-Block MD4, 63-Step MD5 and More

Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1