An Improved Algebraic Attack on Hamsi-256

Dinur, Itai; Shamir, Adi

doi:10.1007/978-3-642-21702-9_6

Cited by 13 publications

(11 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, turning such distinguishers into real attacks, like a key-recovery attack on a cipher or a (second)-preimage attack on a hash function, is a difficult problem. The most promising approach consists in combining some properties of the algebraic normal form of an inner function (e.g., its low degree) and the solving of some algebraic system, as proposed in [3] and [41]. Another open problem is to determine the impact of our result on some stream ciphers which appear to be vulnerable to several attacks exploiting the existence of some function with a low degree [6], [42].…”

Section: Discussionmentioning

confidence: 96%

On the Influence of the Algebraic Degree of $F^{-1}$ on the Algebraic Degree of $G \circ F$

Boura

Canteaut

2013

IEEE Trans. Inform. Theory

View full text Add to dashboard Cite

We present a study on the algebraic degree of iterated permutations seen as multivariate polynomials. The main result shows that this degree depends on the algebraic degree of the inverse of the permutation which is iterated. This result is also extended to noninjective balanced vectorial functions where the relevant quantity is the minimal degree of the inverse of a permutation expanding the function. This property has consequences in symmetric cryptography since several attacks or distinguishers exploit a low algebraic degree, like higher order differential attacks, cube attacks, and cube testers, or algebraic attacks. Here, we present some applications of this improved bound to a higher degree variant of the block cipher , to the block cipher Rijndael-256 and to the inner permutations of the hash functions ECHO and JH.Index Terms-Algebraic degree, block ciphers, hash functions, higher order differential attacks.

show abstract

Section: Discussionmentioning

confidence: 96%

On the Influence of the Algebraic Degree of $F^{-1}$ on the Algebraic Degree of $G \circ F$

Boura

Canteaut

2013

IEEE Trans. Inform. Theory

View full text Add to dashboard Cite

show abstract

“…Non-randomness that might slightly speed-up second-preimage attacks is not excluded by our models and bounds, but we conjecture this to be negligible. To support our conjecture, consider as an example the slight speed-up of second-preimage attacks [DS11,Fuh10] on the SHA-3 candidate Hamsi [Kü09] which uses a very strong non-random property of the compression function. No such strong property seems likely to exist for our proposals.…”

Section: Security Claimsmentioning

confidence: 99%

Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

Kölbl

Lauridsen²,

Mendel

et al. 2017

ToSC

View full text Add to dashboard Cite

Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials.

show abstract

“…A special feature of this function is that its compression function consists of a small number of rounds of a permutation with a particularly low algebraic degree. These weaknesses have been exploited by Fuhr [12] and by Dinur and Shamir [10] in order to find second preimages for the entire hash function. We show here that Fuhr's attack is related to the (v, w)-linearity of the Sbox used in Hamsi.…”

Section: ⊓ ⊔mentioning

confidence: 99%

A New Criterion for Avoiding the Propagation of Linear Relations Through an Sbox

Boura

Canteaut

2014

Fast Software Encryption

View full text Add to dashboard Cite

In several cryptographic primitives, Sboxes of small size are used to provide nonlinearity. After several iterations, all the output bits of the primitive are ideally supposed to depend in a nonlinear way on all of the input variables. However, in some cases, it is possible to find some output bits that depend in an affine way on a small number of input bits if the other input bits are fixed to a well-chosen value. Such situations are for example exploited in cube attacks or in attacks like the one presented by Fuhr against the hash function Hamsi. Here, we define a new property for nonlinear Sboxes, named (v, w)-linearity, which means that 2 w components of an Sbox are affine on all cosets of a v-dimensional subspace. This property is related to the generalization of the so-called Maiorana-McFarland construction for Boolean functions. We show that this concept quantifies the ability of an Sbox to propagate affine relations. As a proof of concept, we exploit this new notion for analyzing and slightly improving Fuhr's attack against Hamsi and we show that its success strongly depends on the (v, w)-linearity of the involved Sbox.

show abstract

An Improved Algebraic Attack on Hamsi-256

Cited by 13 publications

References 9 publications

On the Influence of the Algebraic Degree of $F^{-1}$ on the Algebraic Degree of $G \circ F$

On the Influence of the Algebraic Degree of $F^{-1}$ on the Algebraic Degree of $G \circ F$

Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

A New Criterion for Avoiding the Propagation of Linear Relations Through an Sbox

Contact Info

Product

Resources

About