Gaoli Wang

Differential Fault Analysis on PRESENT Key Schedule

PRESENT is a lightweight block cipher designed by A. Bogdanov et al. in 2007 for extremely constrained environments such as RFID tags and sensor networks, where the AES is not suitable for. In this paper, the strength of PRESENT against the differential fault attack on the key schedule is explored. Our attack adopts the nibble oriented model of random faults and assumes that the attacker can induce a single nibble fault on the round key. The attack can efficiently recover the secret key with the computational complexity of

Boomerang and Slide-Rotational Analysis of the SM3 Hash Function

2^{29}

Preimage Attack on Hash Function RIPEMD

, and sixty-four pairs of correct and faulty cipher texts on average.

Improved Boomerang Attacks on SM3

SM3 is a hash function, designed by Xiaoyun Wang et al. and published by the Chinese Commercial Cryptography Administration Office for the use of electronic authentication service system. The design of SM3 builds upon the design of the SHA-2 hash function, but introduces additional strengthening features. In this paper, we present boomerang distinguishers for the SM3 compression function reduced to 32 steps out of 64 steps with complexity 214.4, 33 steps with complexity 232.4, 34 steps with complexity 253.1 and 35 steps with complexity 2117.1. Examples of zero-sum quartets for the 32-step and 33-step SM3 compression function are provided. We also point out a slide-rotational property of SM3-XOR, which exists due to the fact that constants used in the steps are not independent.

Preimage and pseudo-collision attacks on step-reduced SM3 hash function

RIPEMD is a cryptographic hash function devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988-1992). It consists of two parallel lines, and each line is identical to MD4 except for some internal constants. It has been broken by the collision attack, but no preimage attack was given. In this paper, we give a preimage attack on the compression function of the 26-step reduced RIPEMD with complexity 2110 compression function computations, and we extend the attack on the compression function to an attack on the 26-step reduced RIPEMD with complexity 2115.2 instead of 2128. Then we extend the attack on 26 steps to the attack on 29 steps with the same complexity. Moreover, we can reduce the complexity of the preimage attack on the full RIPEMD without the padding rule by 1 bit compared with the brute-force attack.

Related-Key Impossible-Differential Attack on Reduced-Round Skinny

The cryptographic hash function SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. It is based on the Merkle-Damgard design and is very similar to SHA-2 but includes some additional strengthening features. In this paper, we apply the boomerang attack to SM3 compression function, and present such distinguishers on up to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 293 compression function calls respectively. Especially, we are able to obtain the examples of the distinguishers on 34-step and 35-step on a PC due to their practical complexities. In addition, incompatible problems in the recent boomerang attack are pointed out.

Improved Boomerang Attacks on Round-Reduced SM3 and Keyed Permutation of BLAKE-256 ?

SM3 [12] is the Chinese cryptographic hash standard which was announced in 2010 and designed by Wang et al. It is based on the Merkle-Damgard design and its compression function can be seen as a block cipher used in Davies-Meyer mode. It uses message block of length 512 bits and outputs hash value of length 256 bits. This letter studies the security of SM3 hash function against preimage attack and pseudo-collision attack by using the weakness of diffusion process and linear message expansion. We propose preimage attacks on 29-step and 30-step SM3, and pseudo-preimage attacks on 31-step and 32-step SM3 out of 64 steps. The complexities of these attacks are 2^2^4^5 29-step operations, 2^2^5^1^.^1 30-step operations, 2^2^4^5 31-step operations and 2^2^5^1^.^1 32-step operations, respectively. These (pseudo-)preimage attacks are all from the 1-st step of the reduced SM3. Furthermore, these (pseudo-)preimage attacks can be converted into pseudo-collision attacks on SM3 reduced to 29 steps, 30 steps, 31 steps and 32 steps with complexities of 2^1^2^2, 2^1^2^5^.^1, 2^1^2^2 and 2^1^2^5^.^1 respectively. As far as we know, the previously best known preimage attacks on SM3 cover 28 steps (from the 1-st step) and 30 steps (from the 7-th step).

Distinguishing attacks on LPMAC based on the full RIPEMD and reduced-step RIPEMD-{256, 320}

At CRYPTO’16, Beierle et al. presented SKINNY, a family of lightweight tweakable block ciphers intended to compete with the NSA designs SIMON and SPECK. SKINNY can be implemented efficiently in both soft- and hardware and supports block sizes of 64 and 128 bits as well as tweakey sizes of 64, 128, 192 and 128, 256, 384 bits respectively. This paper presents a related-tweakey impossible-differential attack on up to 23 (out of 36) rounds of SKINNY-64/128 for different tweak sizes. All our attacks can be trivially extended to SKINNY-128/128.

Cryptanalysis of 48-step RIPEMD-160

In this study, the authors study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by Aumasson et al. For SM3, they present boomerang distinguishers for the compression function reduced to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 2192, respectively. Then, they show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, they launch boomerang attacks on up to 7- and 8-round keyed permutation of BLAKE-256, which are the first valid 7-round and 8-round boomerangs for BLAKE-256. Especially, since the authors distinguishers on 34/35-steps compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, they are able to obtain boomerang quartets of these attacks. As far as they know, these are the best results against round-reduced SM3 and BLAKE-256.

Improved differential attack on 30-round SIMON64

This paper presents the first distinguishing attack on the LPMAC based on RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, and the LPMAC is the secret-prefix MAC with the message length prepended to the message before hashing. Wang et al. presented the first distinguishing attack on HMAC/NMAC-MD5 without the related-key setting in [27], then they extended this technique to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [24]. In this paper, we utilize the techniques in [24, 27] combined with our pseudo-near-collision differential path on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 to distinguish the LPMAC based on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 from the LPMAC based on a random function respectively. Because RIPEMD and RIPEMD-{256, 320} all contain two different and independent parallel lines of operations, the difficulty of our attack is to choose proper message differences and to find proper near-collision differential paths of the two parallel lines of operations. The complexity of distinguishing the LPMAC based on the full RIPEMD is about 266 MAC queries. For the LPMAC based on 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, the complexities are about 2163.5 MAC queries and 2208.5 MAC queries respectively.