Low-Memory Attacks Against Two-Round Even-Mansour Using the 3-XOR Problem

Leurent, Gaëtan; Sibleyras, Ferdinand

doi:10.1007/978-3-030-26951-7_8

Cited by 9 publications

(7 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This problem has recently seen a renewed interest because of its potential use in cryptanalysis: it is used as a building block in a generic attack [Nan15] against the COPA [ABL + 13] mode of operation for authenticated encryption. Another recent attack [LS19] against the two-round single-key Even-Mansour cipher [EM91] also works by reducing it to a 3XOR computation. An instance of the 3XOR problem can be solved by several algorithms summarized in Table 1.…”

Section: Context Of This Workmentioning

confidence: 99%

Computational records with aging hardware: Controlling half the output of SHA-256

et al. 2021

View full text Add to dashboard Cite

SHA-256 is a secure cryptographic hash function. As such, its output should not have any detectable property. This paper describes three bit strings whose hashes by SHA-256 are nevertheless correlated in a non-trivial way: the first half of their hashes XORs to zero. They were found by "brute-force", without exploiting any cryptographic weakness in the hash function itself. This does not threaten the security of the hash function and does not have any cryptographic implication.This is an example of a large "combinatorial" computation in which at least 8.7 × 10 22 integer operations have been performed. This was made possible by the combination of: 1) recent progress on algorithms for the underlying problem, 2) creative use of "dedicated" hardware accelerators, 3) adapted implementations of the relevant algorithms that could run on massively parallel machines.The actual computation was done on aging hardware. It required seven calendar months using two obsolete second-hand bitcoin mining devices converted into "useful" computational devices. A second step required 570 CPU-years on an 8-year old IBM BlueGene/Q computer, a few weeks before it was scrapped.To the best of our knowledge, this is the first practical 128-bit collision-like result obtained by brute-force, and it is the first bitcoin miner-accelerated computation.

show abstract

Section: Context Of This Workmentioning

confidence: 99%

Computational records with aging hardware: Controlling half the output of SHA-256

et al. 2021

View full text Add to dashboard Cite

show abstract

“…The first line of work is the quest for designing better algorithms for generalized birthday problems, where the goal is to find a single k-SUM or k-XOR solution out of many. The systematic analysis of this problem was initiated by Wagner [35] in his k-tree algorithm, 2 and has led to numerous refined algorithms and applications thereof [13,22,24,29,31].…”

Section: Related Workmentioning

confidence: 99%

“…Similarly to 3-SUM, a simple filtering algorithm has complexity T = Õ(N/r) for N 1/3 ≤ r ≤ N 1/2 . The dense 3-XOR problem has various applications in cryptography and cryptanalysis [9,14,22,24,31]. While mild (logarithmic in N ) improvements to the simple filtering algorithm are known [22,24,31], any substantial (i.e., polynomial in N ) improvement would be considered a breakthrough.…”

Section: Introduction 1backgroundmentioning

confidence: 99%

See 1 more Smart Citation

Fine-Grained Cryptanalysis: Tight Conditional Bounds for Dense k-SUM and k-XOR

Dinur¹,

Keller²,

Klein³

2021

Preprint

View full text Add to dashboard Cite

An average-case variant of the k-SUM conjecture asserts that finding k numbers that sum to 0 in a list of r random numbers, each of the order r k , cannot be done in much less than r ⌈k/2⌉ time. On the other hand, in the dense regime of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improved by Wagner's k-tree algorithm. Such algorithms for k-SUM in the dense regime have many applications, notably in cryptanalysis.In this paper, assuming the average-case k-SUM conjecture, we prove that known algorithms are essentially optimal for k = 3, 4, 5. For k > 5, we prove the optimality of the k-tree algorithm for a limited range of parameters. We also prove similar results for k-XOR, where the sum is replaced with exclusive or.Our results are obtained by a self-reduction that, given an instance of k-SUM which has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense k-SUM oracle, and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle's solutions, even though its inputs are highly correlated. * The first author was supported by the Israel Science Foundation (grants no. 573/16 and 1903/20).

show abstract

“…This attack was later refined in [NS15], using an improved 3-xor algorithm, to 2 n/2− queries and 2 n/2− )operations, for small . In [LS19], the authors attacked the 2-round Even Mansour algorithm using this problem with data and time both lower than 2 n . However, the algorithm we use was proposed by Joux [Jou09, Section 8.3.3.1], which is the best algorithm for the 3-xor problem to this day.…”

Section: Improving Complexities Using the 3-xor Problemmentioning

confidence: 99%

Cryptanalysis of LowMC instances using single plaintext/ciphertext pair

Banik

Barooti

Durak

et al. 2020

ToSC

View full text Add to dashboard Cite

Arguably one of the main applications of the LowMC family ciphers is in the post-quantum signature scheme PICNIC. Although LowMC family ciphers have been studied from a cryptanalytic point of view before, none of these studies were directly concerned with the actual use case of this cipher in PICNIC signature scheme. Due to the design paradigm of PICNIC, an adversary trying to perform a forgery attack on the signature scheme instantiated with LowMC would have access to only a single given plaintext/ciphertext pair, i.e. an adversary would only be able to perform attacks with data complexity 1 in a known-plaintext attack scenario. This restriction makes it impossible to employ classical cryptanalysis methodologies such as differential and linear cryptanalysis. In this paper we introduce two key-recovery attacks, both in known-plaintext model and of data complexity 1 for two variants of LowMC, both instances of the LowMC cryptanalysis challenge.

show abstract

Low-Memory Attacks Against Two-Round Even-Mansour Using the 3-XOR Problem

Cited by 9 publications

References 20 publications

Computational records with aging hardware: Controlling half the output of SHA-256

Computational records with aging hardware: Controlling half the output of SHA-256

Fine-Grained Cryptanalysis: Tight Conditional Bounds for Dense k-SUM and k-XOR

Cryptanalysis of LowMC instances using single plaintext/ciphertext pair

Contact Info

Product

Resources

About