Bicliques for Permutations: Collision and Preimage Attacks in Stronger Settings

Khovratovich, Dmitry

doi:10.1007/978-3-642-34961-4_33

Cited by 8 publications

(5 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[18] as a translation of a regular biclique to permutations. It helps to carry out regular preimage and collision attacks on MMObased and MP-based primitives.…”

Section: Sliced-biclique Techniquementioning

confidence: 99%

“…Instead of the rebound attack, the meet-in-the-middle (MITM) attack is used to show preimage and collision attacks on hash function. The specific technique is sliced-biclique technique [18] and it utilizes a generic method to convert MITM preimage attacks into collision attacks in the narrow-pipe hash functions proposed at FSE 2012 [19]. At Inscrypt 2014, Megha Agrawal et al [20] have used this technique to show a collision attack on 4-branch, Type-2 GFN-based hash function.…”

Section: Introductionmentioning

confidence: 98%

See 1 more Smart Citation

New criterion for diffusion property and applications to improved GFS and EGFN

Wang

2015

Des. Codes Cryptogr.

View full text Add to dashboard Cite

The maximum diffusion round, D Rmax is a traditional diffusion criterion for block cipher in the secret-key setting. In recent years, the study of the security of block ciphers in hash function setting or known-key setting has attracted great interest. In this paper, we revisit the security of the hash function based on block cipher by using the slicedbiclique technique. The number of rounds attacked Hash R is regarded as a new diffusion criterion for the underlying block cipher in the known-key setting. Intuitively, D Rmax is a criterion with only one base and Hash R is a criterion with two bases. Besides, we design an automated cryptanalysis tool to compute the value of Hash R efficiently. Furthermore, we evaluate the new diffusion property of the improved GFS and EGFN and obtain some interesting results. Firstly, the Hash R for the improved GFS structure with a permutation is equal to that for the structure with its inverse permutation. Secondly, we find that several optimum diffusion matrices with the same D Rmax have different Hash R values. As a result, the numbers of optimum diffusion shuffles for improved GFS with k ≤ 16 are largely reduced referring to the values of Hash R. Meanwhile, we illustrate that the shuffle used in the example of EGFN (k = 8) shown in its original published paper is not optimal according to the new criterion Hash R. The results give some new suggestions for designers when using the improved GFS or EFGN. All in all, the new criterion may guide the design of the block cipher.

show abstract

“…[18] as a translation of a regular biclique to permutations. It helps to carry out regular preimage and collision attacks on MMObased and MP-based primitives.…”

Section: Sliced-biclique Techniquementioning

confidence: 99%

Section: Introductionmentioning

confidence: 98%

New criterion for diffusion property and applications to improved GFS and EGFN

Wang

2015

Des. Codes Cryptogr.

View full text Add to dashboard Cite

show abstract

“…The computational cost effort, for our IDN scheme, to find a collision is approximately 2 n/2 , n = 256 (k-bit), for birthday attacks. Moreover, the computational cost effort for a biclique key recovery is over 2 250 -bit, under 14-rounds for 2 40 data, and a preimage attack, it is over 2 120 -bit, under 14rounds [46]- [48]. Therefore, this computational effort leads to unfeasible known polynomial-time attacks between the plaintext CPF to the encrypted IDN or IDN to CPF, holding anonymity.…”

Section: B Ss and Ind Securitymentioning

confidence: 99%

Improving Data Security, Privacy, and Interoperability for the IEEE Biometric Open Protocol Standard

Filho

Sousa

et al. 2022

IEEE Access

View full text Add to dashboard Cite

“…The permutations P 512 and P 1024 of the Grøstl hash function have been two most heavily analyzed primitives in the SHA-3 hash function competition [32,37,19,23,40]. The best analysis on P 512 so far has been the discovery of differential properties up to 9 (out of 10) rounds with work 2 368 and memory 2 64 ; for the permutation P 1024 , the best analysis is the discovery of differential properties up to 10 (out of 14) rounds with work 2 392 and memory 2 64 .…”

Section: Security Analysis Of Grøstl Permutations P 512 and P 1024mentioning

confidence: 99%

A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA

Paul

Homsirikamol

Gaj

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The contribution of the paper is two-fold. First, we design a novel permutationbased hash mode of operation FP, and analyze its security. The FP mode is derived by replacing the hard-to-invert primitive of the FWP mode -designed by Nandi and Paul, and presented at Indocrypt 2010 -with an easy-to-invert permutation; since easy-to-invert permutations with good cryptographic properties are normally easier to design, and are more efficient than the hard-to-invert functions, the FP mode is more suitable in practical applications than the FWP mode.We show that any n-bit hash function that uses the FP mode is indifferentiable from a random oracle up to 2 n/2 queries (up to a constant factor), if the underlying 2n-bit permutation is free from any structural weaknesses. Based on our further analysis and experiments, we conjecture that the FP mode is resistant to all non-trivial generic attacks with work less than the brute force, mainly due to its large internal state. We compare the FP mode with other permutation-based hash modes, and observe that it displays the so far best security/rate trade-off.To put this into perspective, our second contribution is a proposal for a concrete hash function SAMOSA using the new mode and the P -permutations of the SHA-3 finalist Grøstl. Based on our analysis we claim that the SAMOSA family cannot be attacked with work significantly less than the brute force. We also provide hardware implementation (FPGA) results for SAMOSA to compare it with the SHA-3 finalists. In our implementations, SAMOSA family consistently beats Grøstl, Blake and Skein in the throughput to area ratio. With more efficient underlying permutation, it seems possible to design a hash function based on the FP mode that can achieve even higher performances.

show abstract

Bicliques for Permutations: Collision and Preimage Attacks in Stronger Settings

Cited by 8 publications

References 26 publications

New criterion for diffusion property and applications to improved GFS and EGFN

New criterion for diffusion property and applications to improved GFS and EGFN

Improving Data Security, Privacy, and Interoperability for the IEEE Biometric Open Protocol Standard

A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA

Contact Info

Product

Resources

About