Markku-Juhani O. Saarinen

Cycling attacks on GCM, GHASH and other polynomial MACs and hashes

The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide single-pass authenticated encryption. The GHASH authentication component of GCM belongs to a class of Wegman-Carter polynomial hashes that operate in the field GF(2128). We present message forgery attacks that are made possible by its extremely smooth-order multiplicative group which splits into 512 subgroups. GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial for GHASH. In present literature, only the trivial weak key H=0 has been considered. We show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results on AES-GCM weak key search. Our attacks can be used not only to bypass message authentication with garbage but also to target specific plaintext bits if a polynomial MAC is used in conjunction with a stream cipher. These attacks can also be applied with varying efficiency to other polynomial hashes and MACs, depending on their field properties. Our findings show that especially the use of short polynomial-evaluation MACs should be avoided if the underlying field has a smooth multiplicative order.

Attacks against the WAP WTLS protocol

The WAP WTLS protocol was designed to provide privacy, data integrity, and authentication for wireless terminals. The protocol is currently being fielded, and it is expected that the protocol will be contained in millions of devices in a few years.

Cryptanalysis of Block Ciphers Based on SHA-1 and MD5

We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding slid pairs for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.

A Time-Memory Tradeoff Attack Against LILI-128

In this note we discuss a novel and simple time-memory tradeoff attack against the stream cipher LILI-128. The attack defeats the security advantage of having an irregular stepping function. The attack requires 246 bits of keystream, a lookup table of 245 89-bit words and computational effort which is roughly equivalent to 248 DES operations.

Linearization attacks against syndrome based hashes

In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, a family of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard average-case complexity. In the ECRYPT 2007 Hash Function Workshop, new versions with essentially the same compression function but radically different security parameters and an additional final transformation were presented. We show that hardness of average-case complexity of the underlying problem is irrelevant in collision search by presenting a linearization method that can be used to produce collisions in a matter of seconds on a desktop PC for the variant of FSB with claimed 2128 security.

Security of VSH in the real world

In Eurocrypt 2006, Contini, Lenstra, and Steinfeld proposed a new hash function primitive, VSH, very smooth hash. In this brief paper we offer commentary on the resistance of VSH against some standard cryptanalytic attacks, including preimage attacks and collision search for a truncated VSH. Although the authors of VSH claim only collision resistance, we show why one must be very careful when using VSH in cryptographic engineering, where additional security properties are often required.

Extending the Limits of Collaborative Virtual Environments

This chapter is about extending CVEs to include more people and more objects in more media. Fundamentally the story goes like this.

Practical attack on 8 rounds of the lightweight block cipher KLEIN

KLEIN is a family of lightweight block ciphers presented at RFIDSec 2011 that combines a 4-bit Sbox with Rijndaels byte-oriented MixColumn. This approach allows compact implementations of KLEIN in both low-end software and hardware. This paper shows that interactions between those two components lead to the existence of differentials of unexpectedly high probability: using an iterative collection of differential characteristics and neutral bits in plaintexts, we find conforming pairs for four rounds with amortized cost below 212 encryptions, whereas at least 230 was expected by the preliminary analysis of KLEIN. We exploit this observation by constructing practical (≈235-encryption), experimentally verified, chosen-plaintext key-recovery attacks on up to 8 rounds of KLEIN-64--the instance of KLEIN with 64-bit keys and 12 rounds.

Related-Key Attacks Against Full Hummingbird-2

We present attacks on full Hummingbird-2 which are able to recover the 128-bit secret keys of two black box cipher instances that have a certain type of low-weight XOR difference in their keys. We call these highly correlated keys as they produce the same ciphertext with a significant probability. The complexity of our main chosen-IV key-recovery attack is \(2^{64}\). The first 64 bits of the key can be independently recovered with only \(2^{36}\) effort. This is the first sub-exhaustive attack on the full cipher under two related keys. Our attacks use some novel tricks and techniques which are made possible by Hummingbird-2’s unique word-based structure. We have verified the correctness and complexity of our attacks by fully implementing them. We also discuss enabling factors of these attacks and describe an alternative design for the WD16 nonlinear keyed function which is resistant to attacks of this type. The new experimental function replaces S-boxes with simple \(\chi \) functions.

Encrypted watermarks and linux laptop security

The most common way to implement full-disk encryption (as opposed to encrypted file systems) in the GNU/Linux operating system is using the encrypted loop device, known as CryptoLoop. We demonstrate clear weaknesses in the current CBC-based implementation of CryptoLoop, perhaps the most surprising being a very simple attack which allows specially watermarked files to be identified on an encrypted hard disk without knowledge of the secret encryption key. We take a look into the practical problems of securely booting, authenticating, and keying full-disk encryption. We propose simple improvements to the current CryptoLoop implementation based on the notions of tweakable encryption algorithms and enciphering modes. We also discuss sector-level authentication codes. The new methods have been implemented as a set of patches to the Linux Kernel series 2.6 and the relevant system tools.