eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
17
10.4230/DagSemProc.09031.1
article
09031 Abstracts Collection – Symmetric Cryptography
Handschuh, Helena
Lucks, Stefan
Preneel, Bart
Rogaway, Phillip
From 11.01.09 to 16.01.09, the Seminar 09031 in
``Symmetric Cryptography '' was held
in Schloss Dagstuhl~--~Leibniz Center for Informatics.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar as well as abstracts of
seminar results and ideas are put together in this paper. The first section
describes the seminar topics and goals in general.
Links to extended abstracts or full papers are provided, if available.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.1/DagSemProc.09031.1.pdf
Symmetric cryptography
symmetric primitives and cryptoschemes
hash functions
block ciphers
stream ciphers
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
3
10.4230/DagSemProc.09031.2
article
09031 Executive Summary – Symmetric Cryptography
Handschuh, Helena
Lucks, Stefan
Preneel, Bart
Rogaway, Phillip
Research in Symmetric Cryptography is quickly evolving. The seminar was
the second of its kind, the first one took place in 2007. We observe a
steadily increasing interest in Symmetric Cryptography, as well as a
growing practical demand for symmetric algorithms and protocols.
The seminar was very successful in discussing recent results and sharing
new ideas. Furthermore, it inspired the participants to consider
how Symmetric Cryptography has evolved in the past, and how they would
like it to evolve in the future.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.2/DagSemProc.09031.2.pdf
Symmetric cryptography
symmetric primitives and cryptoschemes
hash functions
block ciphers
stream ciphers
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
18
10.4230/DagSemProc.09031.3
article
Algebraic Attacks against Linear RFID Authentication Protocols
Krause, Matthias
Stegemann, Dirk
The limited computational resources available on RFID tags imply a
need for specially designed authentication protocols. The light weight
authentication protocol $extsf{HB}^+$ proposed by Juels and Weis seems currently
secure for several RFID applications, but is too slow for many practical
settings.
As a possible alternative, authentication protocols based on choosing
random elements from $L$ secret linear $n$-dimensional subspaces of
$GF(2)^{n+k}$ (so called linear $(n,k,L)$-protocols), have been considered. We show that to a certain extent, these protocols are vulnerable to algebraic
attacks. Particularly, our approach allows to break Cicho'{n}, Klonowski and Kutyl owski's $ extsf{CKK}^2$-protocol, a special linear
$(n,k,2)$-protocol, for practically recommended parameters in less
than a second on a standard PC. Moreover, we show that
even unrestricted $(n,k,L)$-protocols can be efficiently broken if $L$ is too small.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.3/DagSemProc.09031.3.pdf
RFID Authentication
HB+
CKK
CKK2
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
8
10.4230/DagSemProc.09031.4
article
Cache Timing Analysis of eStream Finalists
Zenner, Erik
Cache Timing Attacks have attracted a lot of cryptographic
attention due to their relevance for the AES. However, their
applicability to other cryptographic primitives is less well
researched. In this talk, we give an overview over our analysis
of the stream ciphers that were selected for phase 3 of the
eStream project.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.4/DagSemProc.09031.4.pdf
Cache timing attacks
stream ciphers
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
11
10.4230/DagSemProc.09031.5
article
Classification of the SHA-3 Candidates
Fleischmann, Ewan
Forler, Christian
Gorski, Michael
In this note we give an overview on the current state of the SHA-3
candidates. First, we classify all publicly known candidates and,
second, we outline and summarize the performance data as given in the
candidates documentation for $64$-bit and $32$-bit implementations. We
define performance classes and classify the hash algorithms. Note,
that this article will be updated as soon as new candidates arrive or
new cryptanalytic results get published. Comments to the authors of
this article are welcome.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.5/DagSemProc.09031.5.pdf
Hash function
SHA-3
classification
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
22
10.4230/DagSemProc.09031.6
article
Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium
Aumasson, Jean-Philippe
Dinur, Itai
Meier, Willi
Shamir, Adi
CRYPTO 2008 saw the introduction of the hash function
MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic
functions having a low-degree algebraic normal form over GF(2).
This paper applies cube attacks to reduced round MD6, finding the full
128-bit key of a 14-round MD6 with complexity 2\^22 (which takes less
than a minute on a single PC). This is the best key recovery attack announced
so far for MD6. We then introduce a new class of attacks called
cube testers, based on efficient property-testing algorithms, and apply
them to MD6 and to the stream cipher Trivium. Unlike the standard
cube attacks, cube testers detect nonrandom behavior rather than performing
key extraction, but they can also attack cryptographic schemes
described by nonrandom polynomials of relatively high degree. Applied
to MD6, cube testers detect nonrandomness over 18 rounds in 2\^17 complexity;
applied to a slightly modified version of the MD6 compression
function, they can distinguish 66 rounds from random in 2\^24 complexity.
Cube testers give distinguishers on Trivium reduced to 790 rounds from
random with 2^30 complexity and detect nonrandomness over 885 rounds
in 2\^27, improving on the original 767-round cube attack.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.6/DagSemProc.09031.6.pdf
Cube attacks
property testing
MD6
Trivium
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
33
10.4230/DagSemProc.09031.7
article
Grøstl - a SHA-3 candidate
Gauravaram, Praveen
Knudsen, Lars R.
Matusiewicz, Krystian
Mendel, Florian
Rechberger, Christian
Schläffer, Martin
Thomsen, Søren S.
Grøstl is a SHA-3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHA-family.
The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function.
Grøstl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl.
Grøstl is a so-called wide-pipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult.
Grøstl has good performance on a wide range of platforms and counter-measures against side-channel attacks are well-understood from similar work on the AES.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.7/DagSemProc.09031.7.pdf
SHA-3 proposal
hash function
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
15
10.4230/DagSemProc.09031.8
article
Internal collision attack on Maraca
Canteaut, Anne
Naya-Plasencia, Maria
We present an internal collision attack against the new hash
function Maraca which has been submitted to the SHA-3 competition.
This attack requires 2^{237} calls to the round function and its complexity is
lower than the complexity of the generic collision attack when the length
of the message digest is greater than or equal to 512. It is shown that
this cryptanalysis mainly exploits some particular differential properties
of the inner permutation, which are in some sense in contradiction with
the usual security criterion which guarantees the resistance to differential
attacks.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.8/DagSemProc.09031.8.pdf
Hash function
collision attack
differential cryptanalysis
Boolean function
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
13
10.4230/DagSemProc.09031.9
article
Mini-ciphers: a reliable testbed for cryptanalysis?
Nakahara, Jorge
Santana de Freitas, Daniel
This paper reports on higher-order square analysis of the
AES cipher. We present experimental results of attack simulations on
mini-AES versions with word sizes of 3, 4, 5, 6 and 7 bits and describe
the propagation of higher-order Lambda-sets inside some of these distinguishers.
A possible explanation of the length of the square distinguishers uses the
concept of higher-order derivatives of discrete mappings.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.9/DagSemProc.09031.9.pdf
Mini-ciphers
higher-order square attacks
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
7
10.4230/DagSemProc.09031.10
article
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
Buchmann, Johannes A.
Ding, Jintai
Mohamed, Mohamed Saied Emam
Mohamed, Wael Said Abd Elmageed
MutantXL is an algorithm for solving systems of polynomial equations
that was proposed at SCC 2008 and improved in PQC 2008. This article
gives an overview over the MutantXL algorithm. It also presents
experimental results comparing the behavior of the MutantXL
algorithm to the $F_4$ algorithm on HFE and randomly generated
multivariate systems. In both cases MutantXL is faster and uses less
memory than the Magma's implementation of $F_4$.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.10/DagSemProc.09031.10.pdf
Multivariate systems
MutantXL
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
6
10.4230/DagSemProc.09031.11
article
Parallel Generation of l-Sequences
Röck, Andrea
Lauradoux, Cédric
The generation of pseudo-random sequences at a high rate is
an important issue in modern communication schemes. The
representation of a sequence can be scaled by decimation
to obtain parallelism and more precisely a sub-sequences generator.
Sub-sequences generators and therefore decimation have been
extensively used in the past for linear feedback shift
registers (LFSRs). However, the case of automata with a non
linear feedback is still in suspend. In this work, we have studied
how to transform of a feedback with carry shift register (FCSR) into a
sub-sequences generator. We examine two solutions for this
transformation, one based on the decimation properties of $ell$-sequences,
extit{i.e.} FCSR sequences with maximal period, and the other one based
on multiple steps implementation.
We show that the solution based on the decimation properties leads to much
more costly results than in the case of LFSRs. For the multiple steps
implementation, we show how the propagation of carries affects the design.
par This work represents a cooperation with Cédric Lauradoux and was
presented at the international conference on SEquences and Their
Applications (SETA) 2008.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.11/DagSemProc.09031.11.pdf
Sequences
synthesis
decimation
parallelism
LFSRs
FCSRs
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
15
10.4230/DagSemProc.09031.12
article
Practical Collisions for EnRUPT
Indesteege, Sebastiaan
Preneel, Bart
The EnRUPT hash functions were proposed by O'Neil, Nohl and Henzen as candidates for the SHA-3 competition, organised by NIST. The proposal contains seven hash functions, each having a different digest length. We present a practical collision attack on all of these seven EnRUPT variants.
The time complexity of our attack varies from $2^{36}$ to $2^{40}$ round computations, depending on the EnRUPT variant, and the memory requirements are negligible. We demonstrate that our attack is practical by giving an actual collision example for EnRUPT-256.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.12/DagSemProc.09031.12.pdf
EnRUPT
SHA-3 candidate
hash function
collision attack
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
2
10.4230/DagSemProc.09031.13
article
Practical Preimages for Maraca
Indesteege, Sebastiaan
Preneel, Bart
We show a practical preimage attack on the cryptographic hash function Maraca, which was submitted as a candidate to the NIST SHA-3 competition. Our attack has been verified experimentially.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.13/DagSemProc.09031.13.pdf
Maraca
hash function
preimage attack
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
14
10.4230/DagSemProc.09031.14
article
Statistical Tests for Key Recovery Using Multidimensional Extension of Matsui's Algorithm 1
Hermelin, Miia
Cho, Joo Yeon
Nyberg, Kaisa
In one dimension, there is essentially just one binomially distributed statistic, bias or correlation, for testing correctness of a key bit in Matsui's Algorithm 1. In multiple dimensions, different statistical approaches for finding the correct key candidate are available. The purpose of this work is to investigate the efficiency of such test in theory and practice, and propose a new key class ranking statistic using distributions based on multidimensional linear approximation and generalisation of the ranking statistic presented by Selc cuk.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.14/DagSemProc.09031.14.pdf
Block cipher
key recovery attacks
key ranking
linear cryptanalysis
multidimensional approximation
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
1
10.4230/DagSemProc.09031.15
article
Sufficient conditions for sound tree hashing modes
Bertoni, Guido
Daemen, Joan
Peeters, Michaël
Van Assche, Gilles
We consider the general case of tree hashing modes that make use of an underlying compression function. We consider such a tree hashing mode sound if differentiating it from a random oracle, assuming the underlying compression function is a random oracle can be proven to be hard. We demonstrate two properties that such a tree hashing mode must have for such a proof to exist. For each of the two properties we show that several solutions exist to realize them. For some given solutions we demonstrate that a simple proof of indifferentiability exists and obtain an upper bound on the differentiability probability of $q^2/2^n$ with $q$ the number of queries to the underlying compression function and $n$ its output length. Finally we give two examples of hashing modes for which this proof applies: KeccakTree and Prefix-free Merkle-Damgard.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.15/DagSemProc.09031.15.pdf
Tree Hashing
Indifferentiability
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
14
10.4230/DagSemProc.09031.16
article
The Lane hash function
Indesteege, Sebastiaan
Andreeva, Elena
De Cannière, Christophe
Dunkelman, Orr
Käsper, Emilia
Nikova, Svetla
Preneel, Bart
Tischhauser, Elmar
We propose the cryptographic hash function Lane as a candidate for the SHA-3 competition organised by NIST.
Lane is an iterated hash function supporting multiple digest sizes.
Components of the AES block cipher are reused as building blocks.
Lane aims to be secure, easy to understand, elegant and flexible in implementation.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.16/DagSemProc.09031.16.pdf
Lane
SHA-3 candidate
hash function
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
9
10.4230/DagSemProc.09031.17
article
The Road from Panama to Keccak via RadioGatún
Bertoni, Guido
Daemen, Joan
Peeters, Michaël
Van Assche, Gilles
In this presentation, we explain the design choices of Panama [1] and RadioGatun [2], which lead to Keccak [3]. After a brief recall of Panama, RadioGatun and the trail backtracking cost, we focus on three important aspects. First, we explain the role of the belt in the light of differential trails. Second, we discuss the relative advantages of a block mode hash function compared to a stream mode one. Finally, we point out why Panama and RadioGatun are not sponge functions and why their design philosophy differs from that of Keccak.
[1] J. Daemen and C. S. K. Clapp, FSE 1998
[2] G. Bertoni et al., NIST Hash Workshop 2006
[3] G. Bertoni et al., SHA-3 submission, 2008
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.17/DagSemProc.09031.17.pdf
Hash function
cryptography
eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2009-03-30
9031
1
39
10.4230/DagSemProc.09031.18
article
The SHAvite-3 - A New Hash Function
Dunkelman, Orr
Biham, Eli
In this work we present SHAvite-3, a secure and efficient hash
function based on the HAIFA construction
and the AES building blocks. SHAvite-3 uses a well understood set of primitives
such as a Feistel block cipher which iterates a round function based on the
AES round. SHAvite-3's compression functions are secure against cryptanalysis,
while the selected mode of iteration offers maximal security against
black box attacks on the hash function. SHAvite-3 is both
fast and resource-efficient, making it suitable for a wide range of
environments, ranging from 8-bit platforms to 64-bit platforms (and beyond).
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol09031/DagSemProc.09031.18/DagSemProc.09031.18.pdf
SHAvite-3
SHA-3
hash function