Mario Lamberger

An ASIC Implementation of the AES SBoxes

This article presents a hardware implementation of the S-Boxes from the Advanced Encryption Standard (AES). The SBoxes substitute an 8-bit input for an 8-bit output and are based on arithmetic operations in the finite field GF(28). We show that a calculation of this function and its inverse can be done efficiently with combinational logic. This approach has advantages over a straight-forward implementation using read-only memories for table lookups. Most of the functionality is used for both encryption and decryption. The resulting circuit offers low transistor count, has low die-size, is convenient for pipelining, and can be realized easily within a semi-custom design methodology like a standard-cell design. Our standard cell implementation on a 0.6 ?m CMOS process requires an area of only 0.108 mm2 and has delay below 15 ns which equals a maximum clock frequency of 70 MHz. These results were achieved without applying any speed optimization techniques like pipelining.

Hybrid engine for polymorphic shellcode detection

Driven by the permanent search for reliable anomaly-based intrusion detection mechanisms, we investigated different options of neural network (NN) based techniques. A further improvement could be achieved by combining the best suited NN-based data mining techniques with a mechanism we call “execution chain evaluation”. This means that disassembled instruction chains are processed by the NN in order to detect malicious code. The proposed detection engine was trained and tested in various ways. Examples were taken from all publicly available polymorphic shellcode engines as well as from self-designed engines. A prototype implementation of our sensor has been realized and integrated as a plug-in into the SNORTTM[13] intrusion detection system.

Second-Order differential collisions for reduced SHA-256

In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differentials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. We have implemented the attack and provide an example. Our results suggest that the security margin of SHA-256 is much lower than the security margin of most of the SHA-3 finalists in this setting. The techniques employed in this attack are based on a rectangle/boomerang approach and cover advanced search algorithms for good characteristics and message modification techniques. Our analysis also exposes flaws in all of the previously published related-key rectangle attacks on the SHACAL-2 block cipher, which is based on SHA-256. We provide valid rectangles for 48 steps of SHACAL-2.

Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers

In this paper we study the security of the Advanced Encryption Standard (AES) and AES-like block ciphers against differential cryptanalysis. Differential cryptanalysis is one of the most powerful methods for analyzing the security of block ciphers. Even though no formal proofs for the security of AES against differential cryptanalysis have been provided to date, some attempts to compute the maximum expected differential probability (MEDP) for two and four rounds of AES have been presented recently. In this paper, we will improve upon existing approaches in order to derive better bounds on the EDP for two and four rounds of AES based on a slightly simplified S-box. More precisely, we are able to provide the complete distribution of the EDP for two rounds of this AES variant with five active S-boxes and methods to improve the estimates for the EDP in the case of six active S-boxes.

The Rebound Attack and Subspace Distinguishers: Application to Whirlpool

We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the 10-round Whirlpool hash function and compression function. Our results are collisions for 5.5 and near-collisions for 7.5 rounds on the hash function, as well as semi-free-start collisions for 7.5 and semi-free-start near-collisions for 9.5 rounds on the compression function. Additionally, we introduce the subspace problem as a generalization of near-collision resistance. Finally, we present the first distinguishers that apply to the full compression function and the full underlying block cipher W of Whirlpool.

Second preimages for SMASH

This article presents a rare case of a deterministic second preimage attack on a cryptographic hash function. Using the notion of controllable output differences, we show how to construct second preimages for the SMASH hash functions. If the given preimage contains at least n+1 blocks, where n is the output length of the hash function in bits, then the attack is deterministic and requires only to solve a set of n linear equations. For shorter preimages, the attack is probabilistic.

Analysis of the Hash Function Design Strategy Called SMASH

The hash function design strategy SMASH was recently proposed as an alternative to the MD4 family of hash functions. It can be shown that the strategy leads to designs that are vulnerable to efficient collision and (second) preimage attacks. The mathematical structure of the SMASH description facilitates the description of the weakness and the resulting attacks, but also functions with less mathematical elegance may show similar weaknesses.

Memoryless near-collisions via coding theory

We investigate generic methods to find near-collisions in cryptographic hash functions. We introduce a new generic approach based on methods to find cycles in the space of codewords of a code with low covering radius. We give an analysis of our approach and demonstrate it on the SHA-3 candidate TIB3.

On a family of singular measures related to Minkowski's?(x) function

Abstract In the present paper we are investigating a certain point measure of a distribution function arising in a paper by Grabner et al. [Combinatorica 22 (2002) 245–267]. This distribution function is defined by means of the subtractive Euclidean algorithm and bears a striking resemblance to the singular?(x)-function of H. Minkowski. Beyond it, we will also consider a whole family of distribution functions arising in a natural way from the above ones. Nevertheless we will prove that all of the corresponding measures of the mentioned functions are mutually singular by using dynamical systems and the ergodic theorem.

Massive data mining for polymorphic code detection

Driven by the permanent search for reliable anomaly-based intrusion detection mechanisms, we investigated different statistical methodologies to deal with the detection of polymorphic shellcode. The paper intends to give an overview on existing approaches in the literature as well as a synopsis of our efforts to evaluate the applicability of data mining techniques such as Neural Networks, Self Organizing Maps, Markov Models or Genetic Algorithms in the area of polymorphic code detection. We will then present our achieved results and conclusions.