Showing papers on "Collision attack published in 2021"

Quantum Collision Attacks on Reduced SHA-256 and SHA-512

Abstract: In this paper, we study dedicated quantum collision attacks on SHA-256 and SHA-512 for the first time. The attacks reach 38 and 39 steps, respectively, which significantly improve the classical attacks for 31 and 27 steps. Both attacks adopt the framework of the previous work that converts many semi-free-start collisions into a 2-block collision, and are faster than the generic attack in the cost metric of time-space tradeoff. We observe that the number of required semi-free-start collisions can be reduced in the quantum setting, which allows us to convert the previous classical 38 and 39 step semi-free-start collisions into a collision. The idea behind our attacks is simple and will also be applicable to other cryptographic hash functions.

Meet-in-the-Middle Attacks Revisited: Key-Recovery, Collision, and Preimage Attacks

Abstract: At EUROCRYPT 2021, Bao et al. proposed an automatic method for systematically exploring the configuration space of meet-in-the-middle (MITM) preimage attacks. We further extend it into a constraint-based framework for finding exploitable MITM characteristics in the context of key-recovery and collision attacks by taking the subtle peculiarities of both scenarios into account. Moreover, to perform attacks based on MITM characteristics with nonlinear constrained neutral words, which have not been seen before, we present a procedure for deriving the solution spaces of neutral words without solving the corresponding nonlinear equations or increasing the overall time complexities of the attack. We apply our method to concrete symmetric-key primitives, including SKINNY, ForkSkinny, Romulus-H, Saturnin, Grostl, WHIRLPOOL, and hashing modes with AES-256. As a result, we identify the first 23-round key-recovery attack on SKINNY-n-3n and the first 24-round key-recovery attack on ForkSkinny-n-3n in the single-key model. Moreover, improved (pseudo) preimage or collision attacks on round-reduced WHIRLPOOL, Grostl, and hashing modes with AES-256 are obtained. In particular, employing the new representation of the AES key schedule due to Leurent and Pernot (EUROCRYPT 2021), we identify the first preimage attack on 10-round AES-256 hashing.

A Persistent Fault-Based Collision Analysis Against the Advanced Encryption Standard

Abstract: A transient fault-based collision attack always requires to inject fault multiple times. We present the first attack that uses collision information caused by a persistent fault in the substitution box (S-box) to recover the entire 128-bit key of the advanced encryption standard (AES). Moreover, a relatively relaxed fault model is required; i.e., the attacker does not know any information about the position, the length (i.e., the number of bytes), or the value of the injected fault. At most, 4096 chosen plaintexts are required for a persistent fault-based collision attack (PFCA), and the computational complexity is $O(2^{23})$ in the worst case in the single-byte fault setting. A filtering algorithm is presented in the multibyte fault setting, and we theoretically prove that the complexity can be reduced to $O(2^{12})$ in more than half of cases if the number of collision ciphertexts follows a uniform distribution. In addition, PFCAs against a software implementation of AES are simulated on a laptop, and the results show that the success probability of the attack either with online key searching or with offline key searching approaches 100%. In particular, more than 97% of all experiments output the right key with complexity $O(2^{12})$ in the multibyte fault setting. Therefore, the attack is more efficient in this scenario. Furthermore, the attack works on an AES implementation protected by Boolean masking. Finally, PFCAs against AES implementations separately protected by two widely used countermeasures—the inverse S-box and the parity-1 matrix—are performed. The experimental results illustrate that only a 10-round protection using the first method can completely defeat the attack.

The Science of Guessing in Collision-Optimized Divide-and-Conquer Attacks

Abstract: Recovering keys ranked in very deep candidate space efficiently is a very important but challenging issue in side-channel attacks (SCAs). State-of-the-art collision-optimized divide-and-conquer attacks (CODCAs) extract collision information from a collision attack to optimize the key recovery of a divide-and-conquer attack, and transform the very huge guessing space to a much smaller collision space. However, the inefficient collision detection makes them time consuming. The very limited collisions exploited and large performance difference between the collision attack and the divide-and-conquer attack in CODCAs also prevent their application in much larger spaces. In this article, we propose a Minkowski distance enhanced collision attack (MDCA) with performance closer to template attack (TA) compared to traditional correlation-enhanced collision attack (CECA), thus making the optimization more practical and meaningful. Next, we build a more advanced CODCA named full-collision chain (FCC) from TA and MDCA to exploit all collisions. Moreover, to minimize the thresholds while guaranteeing a high success probability of key recovery, we propose a fault-tolerant scheme to optimize FCC. The full key is divided into several big “blocks,” on which a fault-tolerant vector (FTV) is exploited to flexibly adjust its chain space. Finally, guessing theory is exploited to optimize thresholds determination and search order of subkeys. Experimental results show that FCC notably outperforms the existing CODCAs.

Multiple-Differential Mechanism for Collision-Optimized Divide-and-Conquer Attacks

Abstract: Several combined attacks have shown promising results in recovering cryptographic keys by introducing collision information into divide-and-conquer attacks to transform a part of the best key candidates within given thresholds into a much smaller collision space. However, these Collision-Optimized Divide-and-Conquer Attacks (CODCAs) uniformly demarcate the thresholds for all sub-keys, which is unreasonable. Moreover, the inadequate exploitation of collision information and backward fault tolerance mechanisms of CODCAs also lead to low attack efficiency. Finally, existing CODCAs mainly focus on improving collision detection algorithms but lack theoretical basis. We exploit Correlation-Enhanced Collision Attack (CECA) to optimize Template Attack (TA). To overcome the above-mentioned problems, we first introduce guessing theory into TA to enable the quick estimation of success probability and the corresponding complexity of key recovery. Next, a novel Multiple-Differential mechanism for CODCAs (MD-CODCA) is proposed. The first two differential mechanisms construct collision chains satisfying the given number of collisions from several sub-keys with the fewest candidates under a fixed probability provided by guessing theory, then exploit them to vote for the remaining sub-keys. This guarantees that the number of remaining chains is minimal, and makes MD-CODCA suitable for very high thresholds. Our third differential mechanism simply divides the key into several large non-overlapping “blocks” to further exploit intra-block collisions from the remaining candidates and properly ignore the inter-block collisions, thus facilitating the later key enumeration. The experimental results show that MD-CODCA significantly reduces the candidate space and lowers the complexity of collision detection, without considerably reducing the success probability of attacks.

Security analysis of Subterranean 2.0

Abstract: Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, and has been selected as a candidate in the second round of NIST’s lightweight cryptography standardization process. Subterranean 2.0 is a duplex-based construction and utilizes a single-round permutation in the duplex. It is the simplicity of the round function that makes it an attractive target of cryptanalysis. In this paper, we examine the single-round permutation in various phases of Subterranean 2.0 and specify three related attack scenarios that deserve further investigation: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differential analysis in the nonce-misuse setting. To facilitate cryptanalysis in the first two scenarios, we novelly propose a set of size-reduced toy versions of Subterranean 2.0: Subterranean-m. Then we make an observation for the first time on the resemblance between the non-linear layer in the round function of Subterranean 2.0 and SIMON’s round function. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. We then construct our models for searching trails to be used in the keystream bias evaluation and state collision attacks. Our results show that most instances of Subterranean-m are secure in the first two attack scenarios but there exist instances that are not. Further, we find a flaw in the designers’ reasoning of Subterranean 2.0’s linear bias but support the designers’ claim that there is no linear bias measurable from at most $$2^{96}$$ data blocks. Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question. Finally, we observe that one-round differentials allow to recover state bits in the nonce-misuse setting. By proposing nested one-round differentials, we obtain a sufficient number of state bits, leading to a practical state recovery with only 20 repetitions of the nonce and 88 blocks of data. It is noted that our work does not threaten the security of Subterranean 2.0.

On The Cost of ASIC Hardware Crackers: A SHA-1 Case Study

Abstract: In February 2017, the SHA-1 hashing algorithm was practically broken using an identical-prefix collision attack implemented on a GPU cluster, and in January 2020 a chosen-prefix collision was first computed with practical implications on various security protocols. These advances opened the door for several research questions, such as the minimal cost to perform these attacks in practice. In particular, one may wonder what is the best technology for software/hardware cryptanalysis of such primitives. In this paper, we address some of these questions by studying the challenges and costs of building an ASIC cluster for performing attacks against a hash function. Our study takes into account different scenarios and includes two cryptanalytic strategies that can be used to find such collisions: a classical generic birthday search, and a state-of-the-art differential attack using neutral bits for SHA-1.

Revisit Two Memoryless State-Recovery Cryptanalysis Methods on A5/1

Abstract: At ASIACRYPT 2019, Zhang proposes a near collision attack on A5/1. He claims that such an attack method can recover the 64-bit A5/1 state with a time complexity around \(2^{32}\) cipher ticks and requires negligible memory complexities. Soon after its proposal, Zhang’s near collision attack is severely challenged by Derbez et al. who claim that Zhang’s attack cannot have a time complexity lower than Golic’s memoryless guess-and-determine attack dating back to EUROCRYPT 1997. In this paper, we study both the guess-and-determine and the near collision attacks for recovering A5/1 states with negligible memory complexities. In order to make a fair comparison, we recover the state \(\boldsymbol{s}^0\) using both methods. We propose a new guessing technique that can construct linear equation filters in a more efficient manner. When evaluating time complexities, we take the filtering strength of the linear equation systems into account making the complexities more convincing. According to our detailed analysis, the new guess-and-determine attack can recover the state \(\boldsymbol{s}^0\) with a time complexity of \(2^{43.91}\) simple operations. The time complexity for the near collision attack is \(2^{50.57}\) simple operations.

Cryptanalysis of Two White-Box Implementations of the SM4 Block Cipher

Abstract: The SM4 block cipher has a 128-bit block length and a 128-bit user key, formerly known as SMS4. It is a Chinese national standard and an ISO international standard. White-box cryptography aims primarily to protect the secret key used in a cryptographic software implementation in the white-box scenario that assumes an attacker to have full access to the execution environment and execution details of an implementation. Since white-box cryptography has many real-life applications nowadays, a few white-box implementations of the SM4 block cipher has been proposed, in particular, in 2009 Xiao and Lai presented the first white-box SM4 implementation based on traditional way, which has been attacked with the lowest currently published attack complexity of about \(2^{32}\) using affine equivalence technique; and in 2020 Yao and Chen presented a white-box SM4 implementation based on state expansion, and got the lowest attack complexity of about \(2^{51}\) among a variety of attack techniques. In this paper, we present collision-based attacks on Yao and Chen’s and Xiao and Lai’s white-box SM4 implementations with a time complexity of about \(2^{23}\) for recovering a round key, and thus show that their security is much lower than previously published.

Quantum Differential Collision Distinguishing Attacks on Feistel Schemes

Abstract: Feistel schemes are important components of symmetric ciphers, which have been extensively studied in the classical setting. We examine the extension methods of differential distinguishers of Feistel key-function and Feistel function-key schemes. The schemes are subjected to quantum differential collision distinguishing attacks based on the methods. The results show that the complexity is lower than that of differential attacks using only Grover algorithm, and the complexity of differential collision attack based on the Brassard-Hoyer-Tapp and Grover algorithms is lower than that of quantization when using only the Grover algorithm. The results also show that different algorithms and methods can be combined to produce a more effective cryptanalysis approach. This provides a research direction for postquantum cryptographic analysis and design.

Security Analysis of Even-Mansour Structure Hash Functions.

Abstract: In this paper, we mainly focus on the security of Even-Mansour structure hash functions, including preimage attack resistance and multi-block collision attack resistance.

E-DPNCT: An Enhanced Attack Resilient Differential Privacy Model For Smart Grids Using Split Noise Cancellation.

Abstract: High frequency reporting of energy utilization data in smart grids can be used to infer sensitive information regarding the consumer's life style. We propose A Differential Private Noise Cancellation Model for Load Monitoring and Billing for Smart Meters (DPNCT) to protect the privacy of the smart grid data using noise cancellation protocol with a master smart meter to provide accurate billing and load monitoring. Next, we evaluate the performance of DPNCT under various privacy attacks such as filtering attack, negative noise cancellation attack and collusion attack. The DPNCT model relies on trusted master smart meters and is vulnerable to collusion attack where adversary collude with malicious smart meters in order to get private information of other smart meters. In this paper, we propose an Enhanced DPNCT (E-DPNCT) where we use multiple master smart meters for split noise at each instant in time t for better protection against collusion attack. We did extensive comparison of our E-DPNCT model with state of the art attack resistant privacy preserving models such as EPIC for collision attack and with Barbosa Differentialy Private (BDP) model for filtering attack. We evaluate our E-DPNCT model with real time data which shows significant improvement in privacy attack scenarios without any compute intensive operations.

Information dispersion method and system based on distributed object storage system security

Abstract: The invention is applicable to the field of data information distribution technology improvement, and provides an information dispersion method based on distributed object storage system security, which comprises the following steps: S1, calculating a data block hash value in a salting manner to resist collision attack of a hash function and improve the confidentiality of data; S2, improving the calculation efficiency by using an SHA2512 hash algorithm, and replacing the random key with the hash value of the original data; S3, inputting the data with the same content, and encoding the data through an AONTNZZD algorithm to generate data blocks with the same content so as to realize data deduplication. According to the AONTNZZD algorithm, the length of a data block is additionally selected as a salt value of hash operation when the hash value of the data block is calculated, and therefore an attacker can be prevented from carrying out hash function attack. According to the AONTNZZD algorithm, an NZZD code based on binary shift and exclusive-OR operation is adopted, and the relatively good encoding and decoding rate is achieved.

Weakened Random Oracle Models with Target Prefix

Abstract: Weakened random oracle models (WROMs) are variants of the random oracle model (ROM). The WROMs have the random oracle and the additional oracle which breaks some property of a hash function. Analyzing the security of cryptographic schemes in WROMs, we can specify the property of a hash function on which the security of cryptographic schemes depends. Liskov (SAC 2006) proposed WROMs and later Numayama et al. (PKC 2008) formalized them as CT-ROM, SPT-ROM, and FPT-ROM. In each model, there is the additional oracle to break collision resistance, second preimage resistance, preimage resistance respectively. Tan and Wong (ACISP 2012) proposed the generalized FPT-ROM (GFPT-ROM) which intended to capture the chosen prefix collision attack suggested by Stevens et al. (EUROCRYPT 2007). In this paper, in order to analyze the security of cryptographic schemes more precisely, we formalize GFPT-ROM and propose additional three WROMs which capture the chosen prefix collision attack and its variants. In particular, we focus on signature schemes such as RSA-FDH, its variants, and DSA, in order to understand essential roles of WROMs in their security proofs.