Aleksandar Kircanski

Differential Fault Analysis of Rabbit

Rabbit is a high speed scalable stream cipher with 128-bit key and a 64-bit initialization vector. It has passed all three stages of the ECRYPT stream cipher project and is a member of eSTREAM software portfolio. In this paper, we present a practical fault analysis attack on Rabbit. The fault model in which we analyze the cipher is the one in which the attacker is assumed to be able to fault a random bit of the internal state of the cipher but cannot control the exact location of injected faults. Our attack requires around 128 ? 256 faults, precomputed table of size 241.6 bytes and recovers the complete internal state of Rabbit in about 238 steps.

Differential fault analysis of HC-128

HC-128 is a high speed stream cipher with a 128-bit secret key and a 128-bit initialization vector. It has passed all the three stages of the ECRYPT stream cipher project and is a member of the eSTREAM software portfolio. In this paper, we present a differential fault analysis attack on HC-128. The fault model in which we analyze the cipher is the one in which the attacker is able to fault a random word of the inner state of the cipher but cannot control its exact location nor its new faulted value. To perform the attack, we exploit the fact that some of the inner state words in HC-128 may be utilized several times without being updated. Our attack requires about 7968 faults and recovers the complete internal state of HC-128 by solving a set of 32 systems of linear equations over Z2 in 1024 variables.

Boomerang and Slide-Rotational Analysis of the SM3 Hash Function

SM3 is a hash function, designed by Xiaoyun Wang et al. and published by the Chinese Commercial Cryptography Administration Office for the use of electronic authentication service system. The design of SM3 builds upon the design of the SHA-2 hash function, but introduces additional strengthening features. In this paper, we present boomerang distinguishers for the SM3 compression function reduced to 32 steps out of 64 steps with complexity 214.4, 33 steps with complexity 232.4, 34 steps with complexity 253.1 and 35 steps with complexity 2117.1. Examples of zero-sum quartets for the 32-step and 33-step SM3 compression function are provided. We also point out a slide-rotational property of SM3-XOR, which exists due to the fact that constants used in the steps are not independent.

Rebound Attacks on Stribog

In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11–2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities \(2^8\) and \(2^{40}\), respectively. Finally, the compression function is analyzed and a 7.75 round semi free-start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 50 out of 64 bytes near colliding message pair.

On the sliding property of SNOW 3 G and SNOW 2.0

SNOW 3G is a stream cipher chosen by the 3rd Generation Partnership Project (3GPP) as a crypto-primitive to substitute KASUMI in case its security is compromised. SNOW 2.0 is one of the stream ciphers chosen for the ISO/IEC standard IS 18033-4. In this study, the authors show that the initialisation procedure of the two ciphers admits a sliding property, resulting in several sets of related-key pairs. In case of SNOW 3G, a set of 2 32 related-key pairs is presented, whereas in the case of SNOW 2.0, several such sets are found, out of which the largest are of size 2 64 and 2 192 for the 128-bit and 256-bit variant of the cipher, respectively. In addition to allowing related-key recovery attacks against SNOW 2.0 with 256-bit keys, the presented properties reveal non-random behaviour that yields related-key distinguishers and also questions the validity of the security proofs of protocols that are based on the assumption that SNOW 3G and SNOW 2.0 behave like perfect random functions of the key- IV .

Differential fault analysis of Sosemanuk

Sosemanuk is a software-based stream cipher which supports a variable key length of either 128 or 256 bits and 128-bit initial values. It has passed all three stages of the ECRYPT stream cipher project and is a member of the eSTREAM software portfolio. In this paper, we present a fault analysis attack on Sosemanuk. The fault model in which we analyze the cipher is the one in which the attacker is assumed to be able to fault a random inner state word but cannot control the exact location of injected faults. Our attack, which recovers the secret inner state of the cipher, requires around 6144 faults, work equivalent to around 248 Sosemanuk iterations and a storage of around 238.17 bytes.

A Heuristic for Finding Compatible Differential Paths with Application to HAS-160

The question of compatibility of differential paths plays a central role in second order collision attacks on hash functions. In this context, attacks typically proceed by starting from the middle and constructing the middle-steps quartet in which the two paths are enforced on the respective faces of the quartet structure. Finding paths that can fit in such a quartet structure has been a major challenge and the currently known compatible paths extend over a suboptimal number of steps for hash functions such as SHA-2 and HAS-160. In this paper, we investigate a heuristic that searches for compatible differential paths. The application of the heuristic in case of HAS-160 yields a practical second order collision over all of the function steps, which is the first practical result that covers all of the HAS-160 steps. An example of a colliding quartet is provided.

Cryptanalysis of the Loiss Stream Cipher

Loiss is a byte-oriented stream cipher designed by Dengguo Feng et al. Its design builds upon the design of the SNOW family of ciphers. The algorithm consists of a linear feedback shift register (LFSR) and a non-linear finite state machine (FSM). Loiss utilizes a structure called Byte-Oriented Mixer with Memory (BOMM) in its filter generator, which aims to improve resistance against algebraic attacks, linear distinguishing attacks and fast correlation attacks. In this paper, by exploiting some differential properties of the BOMM structure during the cipher initialization phase, we provide an attack of a practical complexity on Loiss in the related-key model. As confirmed by our experimental results, our attack recovers 92 bits of the 128-bit key in less than one hour on a PC with 3 GHz Intel Pentium 4 processor. The possibility of extending the attack to a resynchronization attack in a single-key model is discussed. We also show that Loiss is not resistant to slide attacks.

On the structural weakness of the GGHN stream cipher

GGHN is an RC4-like stream cipher designed to make use of today’s common 32-bit processors. It is 3–5 times faster than RC4. According to its designers, one of the sources of GGHN’s high security is the large size of its secret internal state, which totals 8240 bits. In this paper we show that if an attacker can obtain 2064 specific bits of this internal state, then the attacker can deduce the remaining state bits with limited computation, effectively reducing the secret internal state size by approximately a factor of 4. We then present a fault analysis attack that allows the cryptanalyst to obtain these critical 2064 bits. The whole procedure effectively breaks GGHN using 257×255 induced faults, 2 keystream words for each of these faults, around 257 non-faulted keystream words and negligible computational time.

Second order collision for the 42-step reduced DHA-256 hash function

At the Cryptographic Hash Workshop hosted by NIST in 2005, Lee et al. proposed the DHA-256 (Double Hash Algorithm-256) hash function. The design of DHA-256 builds upon the design of SHA-256, but introduces additional strengthening features such as optimizing the message expansion and step function against local collision attacks. Previously, DHA-256 was analyzed by J. Zhong and X. Lai, who presented a preimage attack on 35 steps of the compression function with complexity 2^2^3^9^.^6. In addition, the IAIK Krypto Group provided evidence that there exists a 9-step local collision for the DHA-256 compression function with probability higher than previously predicted. In this paper, we analyze DHA-256 in the context of higher order differential attacks. In particular, we provide a practical distinguisher for 42 out of 64 steps and give an example of a colliding quartet to validate our results.