Dagstuhl Seminar Proceedings, Volume 9031



Publication Details

  • published at: 2009-03-30
  • Publisher: Schloss Dagstuhl – Leibniz-Zentrum für Informatik

Access Numbers

Documents

No documents found matching your filter selection.
Document
09031 Abstracts Collection – Symmetric Cryptography

Authors: Helena Handschuh, Stefan Lucks, Bart Preneel, and Phillip Rogaway


Abstract
From 11.01.09 to 16.01.09, the Seminar 09031 in ``Symmetric Cryptography '' was held in Schloss Dagstuhl~--~Leibniz Center for Informatics. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available.

Cite as

Helena Handschuh, Stefan Lucks, Bart Preneel, and Phillip Rogaway. 09031 Abstracts Collection – Symmetric Cryptography. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-17, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{handschuh_et_al:DagSemProc.09031.1,
  author =	{Handschuh, Helena and Lucks, Stefan and Preneel, Bart and Rogaway, Phillip},
  title =	{{09031 Abstracts Collection – Symmetric Cryptography }},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--17},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.1},
  URN =		{urn:nbn:de:0030-drops-19603},
  doi =		{10.4230/DagSemProc.09031.1},
  annote =	{Keywords: Symmetric cryptography, symmetric primitives and cryptoschemes, hash functions, block ciphers, stream ciphers}
}
Document
09031 Executive Summary – Symmetric Cryptography

Authors: Helena Handschuh, Stefan Lucks, Bart Preneel, and Phillip Rogaway


Abstract
Research in Symmetric Cryptography is quickly evolving. The seminar was the second of its kind, the first one took place in 2007. We observe a steadily increasing interest in Symmetric Cryptography, as well as a growing practical demand for symmetric algorithms and protocols. The seminar was very successful in discussing recent results and sharing new ideas. Furthermore, it inspired the participants to consider how Symmetric Cryptography has evolved in the past, and how they would like it to evolve in the future.

Cite as

Helena Handschuh, Stefan Lucks, Bart Preneel, and Phillip Rogaway. 09031 Executive Summary – Symmetric Cryptography. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-3, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{handschuh_et_al:DagSemProc.09031.2,
  author =	{Handschuh, Helena and Lucks, Stefan and Preneel, Bart and Rogaway, Phillip},
  title =	{{09031 Executive Summary – Symmetric Cryptography}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--3},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.2},
  URN =		{urn:nbn:de:0030-drops-19590},
  doi =		{10.4230/DagSemProc.09031.2},
  annote =	{Keywords: Symmetric cryptography, symmetric primitives and cryptoschemes, hash functions, block ciphers, stream ciphers}
}
Document
Algebraic Attacks against Linear RFID Authentication Protocols

Authors: Matthias Krause and Dirk Stegemann


Abstract
The limited computational resources available on RFID tags imply a need for specially designed authentication protocols. The light weight authentication protocol $extsf{HB}^+$ proposed by Juels and Weis seems currently secure for several RFID applications, but is too slow for many practical settings. As a possible alternative, authentication protocols based on choosing random elements from $L$ secret linear $n$-dimensional subspaces of $GF(2)^{n+k}$ (so called linear $(n,k,L)$-protocols), have been considered. We show that to a certain extent, these protocols are vulnerable to algebraic attacks. Particularly, our approach allows to break Cicho'{n}, Klonowski and Kutyl owski's $ extsf{CKK}^2$-protocol, a special linear $(n,k,2)$-protocol, for practically recommended parameters in less than a second on a standard PC. Moreover, we show that even unrestricted $(n,k,L)$-protocols can be efficiently broken if $L$ is too small.

Cite as

Matthias Krause and Dirk Stegemann. Algebraic Attacks against Linear RFID Authentication Protocols. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-18, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{krause_et_al:DagSemProc.09031.3,
  author =	{Krause, Matthias and Stegemann, Dirk},
  title =	{{Algebraic Attacks against Linear RFID Authentication Protocols}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--18},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.3},
  URN =		{urn:nbn:de:0030-drops-19576},
  doi =		{10.4230/DagSemProc.09031.3},
  annote =	{Keywords: RFID Authentication, HB+, CKK, CKK2}
}
Document
Cache Timing Analysis of eStream Finalists

Authors: Erik Zenner


Abstract
Cache Timing Attacks have attracted a lot of cryptographic attention due to their relevance for the AES. However, their applicability to other cryptographic primitives is less well researched. In this talk, we give an overview over our analysis of the stream ciphers that were selected for phase 3 of the eStream project.

Cite as

Erik Zenner. Cache Timing Analysis of eStream Finalists. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-8, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{zenner:DagSemProc.09031.4,
  author =	{Zenner, Erik},
  title =	{{Cache Timing Analysis of eStream Finalists}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--8},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.4},
  URN =		{urn:nbn:de:0030-drops-19437},
  doi =		{10.4230/DagSemProc.09031.4},
  annote =	{Keywords: Cache timing attacks, stream ciphers}
}
Document
Classification of the SHA-3 Candidates

Authors: Ewan Fleischmann, Christian Forler, and Michael Gorski


Abstract
In this note we give an overview on the current state of the SHA-3 candidates. First, we classify all publicly known candidates and, second, we outline and summarize the performance data as given in the candidates documentation for $64$-bit and $32$-bit implementations. We define performance classes and classify the hash algorithms. Note, that this article will be updated as soon as new candidates arrive or new cryptanalytic results get published. Comments to the authors of this article are welcome.

Cite as

Ewan Fleischmann, Christian Forler, and Michael Gorski. Classification of the SHA-3 Candidates. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{fleischmann_et_al:DagSemProc.09031.5,
  author =	{Fleischmann, Ewan and Forler, Christian and Gorski, Michael},
  title =	{{Classification of the SHA-3 Candidates}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--11},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.5},
  URN =		{urn:nbn:de:0030-drops-19482},
  doi =		{10.4230/DagSemProc.09031.5},
  annote =	{Keywords: Hash function, SHA-3, classification}
}
Document
Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Authors: Jean-Philippe Aumasson, Itai Dinur, Willi Meier, and Adi Shamir


Abstract
CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 2\^22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2\^17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2\^24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2^30 complexity and detect nonrandomness over 885 rounds in 2\^27, improving on the original 767-round cube attack.

Cite as

Jean-Philippe Aumasson, Itai Dinur, Willi Meier, and Adi Shamir. Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-22, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{aumasson_et_al:DagSemProc.09031.6,
  author =	{Aumasson, Jean-Philippe and Dinur, Itai and Meier, Willi and Shamir, Adi},
  title =	{{Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--22},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.6},
  URN =		{urn:nbn:de:0030-drops-19443},
  doi =		{10.4230/DagSemProc.09031.6},
  annote =	{Keywords: Cube attacks, property testing, MD6, Trivium}
}
Document
Grøstl - a SHA-3 candidate

Authors: Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen


Abstract
Grøstl is a SHA-3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grøstl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl. Grøstl is a so-called wide-pipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grøstl has good performance on a wide range of platforms and counter-measures against side-channel attacks are well-understood from similar work on the AES.

Cite as

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-33, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{gauravaram_et_al:DagSemProc.09031.7,
  author =	{Gauravaram, Praveen and Knudsen, Lars R. and Matusiewicz, Krystian and Mendel, Florian and Rechberger, Christian and Schl\"{a}ffer, Martin and Thomsen, S{\o}ren S.},
  title =	{{Gr{\o}stl - a SHA-3 candidate}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--33},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.7},
  URN =		{urn:nbn:de:0030-drops-19554},
  doi =		{10.4230/DagSemProc.09031.7},
  annote =	{Keywords: SHA-3 proposal, hash function}
}
Document
Internal collision attack on Maraca

Authors: Anne Canteaut and Maria Naya-Plasencia


Abstract
We present an internal collision attack against the new hash function Maraca which has been submitted to the SHA-3 competition. This attack requires 2^{237} calls to the round function and its complexity is lower than the complexity of the generic collision attack when the length of the message digest is greater than or equal to 512. It is shown that this cryptanalysis mainly exploits some particular differential properties of the inner permutation, which are in some sense in contradiction with the usual security criterion which guarantees the resistance to differential attacks.

Cite as

Anne Canteaut and Maria Naya-Plasencia. Internal collision attack on Maraca. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{canteaut_et_al:DagSemProc.09031.8,
  author =	{Canteaut, Anne and Naya-Plasencia, Maria},
  title =	{{Internal collision attack on Maraca}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--15},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.8},
  URN =		{urn:nbn:de:0030-drops-19538},
  doi =		{10.4230/DagSemProc.09031.8},
  annote =	{Keywords: Hash function, collision attack, differential cryptanalysis, Boolean function}
}
Document
Mini-ciphers: a reliable testbed for cryptanalysis?

Authors: Jorge Nakahara and Daniel Santana de Freitas


Abstract
This paper reports on higher-order square analysis of the AES cipher. We present experimental results of attack simulations on mini-AES versions with word sizes of 3, 4, 5, 6 and 7 bits and describe the propagation of higher-order Lambda-sets inside some of these distinguishers. A possible explanation of the length of the square distinguishers uses the concept of higher-order derivatives of discrete mappings.

Cite as

Jorge Nakahara and Daniel Santana de Freitas. Mini-ciphers: a reliable testbed for cryptanalysis?. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-13, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{nakahara_et_al:DagSemProc.09031.9,
  author =	{Nakahara, Jorge and Santana de Freitas, Daniel},
  title =	{{Mini-ciphers: a reliable testbed for cryptanalysis?}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--13},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.9},
  URN =		{urn:nbn:de:0030-drops-19614},
  doi =		{10.4230/DagSemProc.09031.9},
  annote =	{Keywords: Mini-ciphers, higher-order square attacks}
}
Document
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

Authors: Johannes A. Buchmann, Jintai Ding, Mohamed Saied Emam Mohamed, and Wael Said Abd Elmageed Mohamed


Abstract
MutantXL is an algorithm for solving systems of polynomial equations that was proposed at SCC 2008 and improved in PQC 2008. This article gives an overview over the MutantXL algorithm. It also presents experimental results comparing the behavior of the MutantXL algorithm to the $F_4$ algorithm on HFE and randomly generated multivariate systems. In both cases MutantXL is faster and uses less memory than the Magma's implementation of $F_4$.

Cite as

Johannes A. Buchmann, Jintai Ding, Mohamed Saied Emam Mohamed, and Wael Said Abd Elmageed Mohamed. MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-7, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{buchmann_et_al:DagSemProc.09031.10,
  author =	{Buchmann, Johannes A. and Ding, Jintai and Mohamed, Mohamed Saied Emam and Mohamed, Wael Said Abd Elmageed},
  title =	{{MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--7},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.10},
  URN =		{urn:nbn:de:0030-drops-19456},
  doi =		{10.4230/DagSemProc.09031.10},
  annote =	{Keywords: Multivariate systems, MutantXL}
}
Document
Parallel Generation of l-Sequences

Authors: Andrea Röck and Cédric Lauradoux


Abstract
The generation of pseudo-random sequences at a high rate is an important issue in modern communication schemes. The representation of a sequence can be scaled by decimation to obtain parallelism and more precisely a sub-sequences generator. Sub-sequences generators and therefore decimation have been extensively used in the past for linear feedback shift registers (LFSRs). However, the case of automata with a non linear feedback is still in suspend. In this work, we have studied how to transform of a feedback with carry shift register (FCSR) into a sub-sequences generator. We examine two solutions for this transformation, one based on the decimation properties of $ell$-sequences, extit{i.e.} FCSR sequences with maximal period, and the other one based on multiple steps implementation. We show that the solution based on the decimation properties leads to much more costly results than in the case of LFSRs. For the multiple steps implementation, we show how the propagation of carries affects the design. par This work represents a cooperation with Cédric Lauradoux and was presented at the international conference on SEquences and Their Applications (SETA) 2008.

Cite as

Andrea Röck and Cédric Lauradoux. Parallel Generation of l-Sequences. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-6, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{rock_et_al:DagSemProc.09031.11,
  author =	{R\"{o}ck, Andrea and Lauradoux, C\'{e}dric},
  title =	{{Parallel Generation of l-Sequences}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--6},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.11},
  URN =		{urn:nbn:de:0030-drops-19569},
  doi =		{10.4230/DagSemProc.09031.11},
  annote =	{Keywords: Sequences, synthesis, decimation, parallelism, LFSRs, FCSRs}
}
Document
Practical Collisions for EnRUPT

Authors: Sebastiaan Indesteege and Bart Preneel


Abstract
The EnRUPT hash functions were proposed by O'Neil, Nohl and Henzen as candidates for the SHA-3 competition, organised by NIST. The proposal contains seven hash functions, each having a different digest length. We present a practical collision attack on all of these seven EnRUPT variants. The time complexity of our attack varies from $2^{36}$ to $2^{40}$ round computations, depending on the EnRUPT variant, and the memory requirements are negligible. We demonstrate that our attack is practical by giving an actual collision example for EnRUPT-256.

Cite as

Sebastiaan Indesteege and Bart Preneel. Practical Collisions for EnRUPT. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{indesteege_et_al:DagSemProc.09031.12,
  author =	{Indesteege, Sebastiaan and Preneel, Bart},
  title =	{{Practical Collisions for EnRUPT}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--15},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.12},
  URN =		{urn:nbn:de:0030-drops-19509},
  doi =		{10.4230/DagSemProc.09031.12},
  annote =	{Keywords: EnRUPT, SHA-3 candidate, hash function, collision attack}
}
Document
Practical Preimages for Maraca

Authors: Sebastiaan Indesteege and Bart Preneel


Abstract
We show a practical preimage attack on the cryptographic hash function Maraca, which was submitted as a candidate to the NIST SHA-3 competition. Our attack has been verified experimentially.

Cite as

Sebastiaan Indesteege and Bart Preneel. Practical Preimages for Maraca. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-2, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{indesteege_et_al:DagSemProc.09031.13,
  author =	{Indesteege, Sebastiaan and Preneel, Bart},
  title =	{{Practical Preimages for Maraca}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--2},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.13},
  URN =		{urn:nbn:de:0030-drops-19512},
  doi =		{10.4230/DagSemProc.09031.13},
  annote =	{Keywords: Maraca, hash function, preimage attack}
}
Document
Statistical Tests for Key Recovery Using Multidimensional Extension of Matsui's Algorithm 1

Authors: Miia Hermelin, Joo Yeon Cho, and Kaisa Nyberg


Abstract
In one dimension, there is essentially just one binomially distributed statistic, bias or correlation, for testing correctness of a key bit in Matsui's Algorithm 1. In multiple dimensions, different statistical approaches for finding the correct key candidate are available. The purpose of this work is to investigate the efficiency of such test in theory and practice, and propose a new key class ranking statistic using distributions based on multidimensional linear approximation and generalisation of the ranking statistic presented by Selc cuk.

Cite as

Miia Hermelin, Joo Yeon Cho, and Kaisa Nyberg. Statistical Tests for Key Recovery Using Multidimensional Extension of Matsui's Algorithm 1. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{hermelin_et_al:DagSemProc.09031.14,
  author =	{Hermelin, Miia and Cho, Joo Yeon and Nyberg, Kaisa},
  title =	{{Statistical Tests for Key Recovery Using Multidimensional   Extension of Matsui's Algorithm 1}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--14},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.14},
  URN =		{urn:nbn:de:0030-drops-19541},
  doi =		{10.4230/DagSemProc.09031.14},
  annote =	{Keywords: Block cipher, key recovery attacks, key ranking, linear cryptanalysis, multidimensional approximation}
}
Document
Sufficient conditions for sound tree hashing modes

Authors: Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche


Abstract
We consider the general case of tree hashing modes that make use of an underlying compression function. We consider such a tree hashing mode sound if differentiating it from a random oracle, assuming the underlying compression function is a random oracle can be proven to be hard. We demonstrate two properties that such a tree hashing mode must have for such a proof to exist. For each of the two properties we show that several solutions exist to realize them. For some given solutions we demonstrate that a simple proof of indifferentiability exists and obtain an upper bound on the differentiability probability of $q^2/2^n$ with $q$ the number of queries to the underlying compression function and $n$ its output length. Finally we give two examples of hashing modes for which this proof applies: KeccakTree and Prefix-free Merkle-Damgard.

Cite as

Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Sufficient conditions for sound tree hashing modes. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, p. 1, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{bertoni_et_al:DagSemProc.09031.15,
  author =	{Bertoni, Guido and Daemen, Joan and Peeters, Micha\"{e}l and Van Assche, Gilles},
  title =	{{Sufficient conditions for sound tree hashing modes}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--1},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.15},
  URN =		{urn:nbn:de:0030-drops-19463},
  doi =		{10.4230/DagSemProc.09031.15},
  annote =	{Keywords: Tree Hashing, Indifferentiability}
}
Document
The Lane hash function

Authors: Sebastiaan Indesteege, Elena Andreeva, Christophe De Cannière, Orr Dunkelman, Emilia Käsper, Svetla Nikova, Bart Preneel, and Elmar Tischhauser


Abstract
We propose the cryptographic hash function Lane as a candidate for the SHA-3 competition organised by NIST. Lane is an iterated hash function supporting multiple digest sizes. Components of the AES block cipher are reused as building blocks. Lane aims to be secure, easy to understand, elegant and flexible in implementation.

Cite as

Sebastiaan Indesteege, Elena Andreeva, Christophe De Cannière, Orr Dunkelman, Emilia Käsper, Svetla Nikova, Bart Preneel, and Elmar Tischhauser. The Lane hash function. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{indesteege_et_al:DagSemProc.09031.16,
  author =	{Indesteege, Sebastiaan and Andreeva, Elena and De Canni\`{e}re, Christophe and Dunkelman, Orr and K\"{a}sper, Emilia and Nikova, Svetla and Preneel, Bart and Tischhauser, Elmar},
  title =	{{The Lane hash function}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--14},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.16},
  URN =		{urn:nbn:de:0030-drops-19523},
  doi =		{10.4230/DagSemProc.09031.16},
  annote =	{Keywords: Lane, SHA-3 candidate, hash function}
}
Document
The Road from Panama to Keccak via RadioGatún

Authors: Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche


Abstract
In this presentation, we explain the design choices of Panama [1] and RadioGatun [2], which lead to Keccak [3]. After a brief recall of Panama, RadioGatun and the trail backtracking cost, we focus on three important aspects. First, we explain the role of the belt in the light of differential trails. Second, we discuss the relative advantages of a block mode hash function compared to a stream mode one. Finally, we point out why Panama and RadioGatun are not sponge functions and why their design philosophy differs from that of Keccak. [1] J. Daemen and C. S. K. Clapp, FSE 1998 [2] G. Bertoni et al., NIST Hash Workshop 2006 [3] G. Bertoni et al., SHA-3 submission, 2008

Cite as

Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. The Road from Panama to Keccak via RadioGatún. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-9, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{bertoni_et_al:DagSemProc.09031.17,
  author =	{Bertoni, Guido and Daemen, Joan and Peeters, Micha\"{e}l and Van Assche, Gilles},
  title =	{{The Road from Panama to Keccak via RadioGat\'{u}n}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--9},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.17},
  URN =		{urn:nbn:de:0030-drops-19587},
  doi =		{10.4230/DagSemProc.09031.17},
  annote =	{Keywords: Hash function, cryptography}
}
Document
The SHAvite-3 - A New Hash Function

Authors: Orr Dunkelman and Eli Biham


Abstract
In this work we present SHAvite-3, a secure and efficient hash function based on the HAIFA construction and the AES building blocks. SHAvite-3 uses a well understood set of primitives such as a Feistel block cipher which iterates a round function based on the AES round. SHAvite-3's compression functions are secure against cryptanalysis, while the selected mode of iteration offers maximal security against black box attacks on the hash function. SHAvite-3 is both fast and resource-efficient, making it suitable for a wide range of environments, ranging from 8-bit platforms to 64-bit platforms (and beyond).

Cite as

Orr Dunkelman and Eli Biham. The SHAvite-3 - A New Hash Function. In Symmetric Cryptography. Dagstuhl Seminar Proceedings, Volume 9031, pp. 1-39, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2009)


Copy BibTex To Clipboard

@InProceedings{dunkelman_et_al:DagSemProc.09031.18,
  author =	{Dunkelman, Orr and Biham, Eli},
  title =	{{The SHAvite-3 - A New Hash Function}},
  booktitle =	{Symmetric Cryptography},
  pages =	{1--39},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2009},
  volume =	{9031},
  editor =	{Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.18},
  URN =		{urn:nbn:de:0030-drops-19471},
  doi =		{10.4230/DagSemProc.09031.18},
  annote =	{Keywords: SHAvite-3, SHA-3, hash function}
}

Filters


Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail