Liting Zhang

3kf9: enhancing 3GPP-MAC beyond the birthday bound

Among various cryptographic schemes, CBC-based MACs belong to the few ones most widely used in practice. Such MACs iterate a blockcipher EK in the so called Cipher-Block-Chaining way, i.e. Ci=EK(Mi⊕Ci−1) , offering high efficiency in practical applications. In the paper, we propose a new deterministic variant of CBC-based MACs that is provably secure beyond the birthday bound. The new MAC 3kf9 is obtained by combining f9 (3GPP-MAC) and EMAC sharing the same internal structure, and so it is almost as efficient as the original CBC MAC. 3kf9 offers

Security analysis of the GF-NLFSR structure and four-cell block cipher

O(\frac{l^3q^3}{2^{2n}}+\frac{lq}{2^n})

Weak-Key and Related-Key Analysis of Hash-Counter-Hash Tweakable Enciphering Schemes

PRF-security when its underlying n-bit blockcipher is pseudorandom with three independent keys. This makes it more secure than traditional CBC-based MACs, especially when they are applied with lightweight blockciphers. Therefore, 3kf9 is expected to be a possible candidate MAC in resource-restricted environments.

Collision Attacks on Variant of OCB Mode and Its Series

The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, L-M structure and Generalized Feistel structure. In [12], Choy et al. proposed a new structure called GF-NLFSR (Generalized Feistel-NonLinear Feedback Shift Register), and designed a new block cipher called Four-Cell which is based on the 4-cell GF-NLFSR. In this paper, we first study properties of the n-cell GF-NLFSR structure, and prove that for an n-cell GF-NLFSR, there exists an (n2+n−2) rounds impossible differential. Then we present an impossible differential attack on the full 25-round Four-Cell using this kind of 18-round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2111.5 and the time complexity is less than 2123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.

Constructing rate-1 MACs from related-key unpredictable block ciphers: PGV model revisited

We analyze three tweakable enciphering schemes (TES) XCB, HCTR and HCH, which all consist of polynomial evaluation hash function as their first and third layers and CTR mode in the middle. The weak keys of polynomial evaluation hash in message authentication code and authenticated encryption have been thoroughly analyzed, but have never applied in TES. We point out that XCB, HCTR and HCH (and two variations of HCH: HCHp and HCHfp) can not resist distinguishing attack, key-recovery attack and plaintext-recovery attack once the weak key is recognized. We also analyze the security of related-key attacks against these schemes, showing that HCTR, HCHp and HCHfp suffer related-key attack and XCB and HCH can resist related-key attack under the assumption that the underlying block cipher resists related-key attack.

Cryptanalysis of the OKH Authenticated Encryption Scheme

Three versions of OCB appeared in the literature: OCB1, OCB2 and OCB3. Ferguson pointed out that OCB1 could not resist against collision attacks, which was improved by Mathiassen. Zhang, Xing and Yang made the first attempt to improve OCB1 against this prevailing attack in blockcipher modes of operation, and proposed a new authenticated encryption mode OCB-ZXY, using offset dependent plaintext block transformation (ODPBT) technique. Our research shows that: 1) OCB-ZXY still cannot resist against collision attacks. 2) OCB2 and OCB3 also suffer from collision attacks, even more severely than OCB1. 3) Even if OCB2 and OCB3 adopt the ODPBT technique, collision attacks still exist.

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

Almost all current block-cipher-based MACs reduce their security to the pseudorandomness of their underlying block ciphers, except for a few of them to the unpredictability, a strictly weaker security notion than pseudorandomness. However, the latter MACs offer relatively low efficiency. In this paper, we investigate the feasibility of constructing rate-1 MACs from related-key unpredictable block ciphers. First, we show all the existing rate-1 MACs are insecure when instantiated with a special kind of related-key unpredictable block cipher. The attacks on them inspire us to propose an assumption that all the chaining values are available to adversaries for theoretically analyzing such MACs. Under this assumption, we study the security of 64 rate-1 MACs in keyed PGV model, and find that 1) 15 MACs are meaningless; 2) 25 MACs are vulnerable to three kinds of attacks respectively and 3) 24 MACs are provably secure when their underlying block ciphers are related-key unpredictable. Furthermore, we refine these 24 provably secure rate-1 MACs in Compact PGV model by removing a useless parameter away, and find that the resulting 6 provably secure MACs are in fact equivalent to each other. In the aspect of efficiency, however, the low rate of these secure MACs does not necessarily mean they can run faster than none rate-1 one MACs, due to their large number of key schedules.

Proposition of two cipher structures

Alomair proposed a new authenticated encryption scheme OKH at ACNS 2012, and proved its security, i.e. authenticity and privacy. Our research shows that it is not the case. We only need one query to break the authenticity of OKH with success probability of 1, and two queries to break the privacy of OKH with success probability of 1 − 1/2 n , where n is the block-length of underlying blockcipher.

Extended Models for Message Authentication

Universal hash functions UHFs have been extensively used in the design of cryptographic schemes. If we consider the related-key attack RKA against these UHF-based schemes, some of them may not be secure, especially those using the key of UHF as a part of the whole key of scheme, due to the weakness of UHF in the RKA setting. In order to solve this issue, we propose a new concept of related-key almost universal hash function, which is a natural extension to almost universal hash function in the RKA setting. We define related-key almost universal RKA-AU hash function and related-key almost XOR universal RKA-AXU hash function. However almost all the existing UHFs do not satisfy the new definitions. We construct one fixed-input-length universal hash function named RH1 and two variable-input-length universal hash functions named RH2 and RH3. We show that RH1 and RH2 are both RKA-AXU, and RH3 is RKA-AU for the RKD set