Refined Cryptanalysis of the GPRS Ciphers GEA-1 and GEA-2

“…We apply the birthday-paradox based MitM attack 1 , which has been widely used to attack Merkle-Damgård [17,51] hashing with PGV modes as well as block ciphers, to the sponge-based hash functions. Additionally, by applying bit conditions, the diffusion of the two neutral sets can be controlled and reduced, and therefore lead to longer MitM characteristics.…”

“…After the θ operation, the variables will not diffuse. After the π operation, any two variables are not adjacent in a row, and all outputs of A (1) are linear. To further reduce the diffusion of the variables in χ operation, one can add restricted constraints to the value of constant bits.…”

“…Then with the conditions set in π (0) as introduced in Sect. 4.1, we can omit the first χ operation and construct the model from A (1) only considering the linear operation π • ρ from A (0) .…”

“…Then applying the inverse of ρ and π, the linear equations are transformed to [1,3]} . (11) With the known value θ (r) {x,x,z} (0 ≤ x ≤ 4, 0 ≤ z ≤ 63) by (10), we add the same known values (underlined) to both sides of (11), which are…”

“…In the meantime, various techniques have been introduced to improve the framework of MitM attack, such as internal state guessing [30], splice-and-cut [2], initial structure [59], bicliques [11], 3-subset MitM [12], indirect-partial matching [2,59], sieve-in-the-middle [15], match-box [32], dissection [24], differential-aided MitM [14,31,41], nonlinear constrained neutral words [28], etc. Till now, the MitM attack and its variants have broken MD4 [34,44], MD5 [59], KeeLoq [39], HAVAL [4,60], GOST [40], GEA-1/2 [1,7], etc.…”

Meet-in-the-Middle Preimage Attacks on Sponge-Based Hashing

“…We apply the birthday-paradox based MitM attack 1 , which has been widely used to attack Merkle-Damgård [17,51] hashing with PGV modes as well as block ciphers, to the sponge-based hash functions. Additionally, by applying bit conditions, the diffusion of the two neutral sets can be controlled and reduced, and therefore lead to longer MitM characteristics.…”

“…After the θ operation, the variables will not diffuse. After the π operation, any two variables are not adjacent in a row, and all outputs of A (1) are linear. To further reduce the diffusion of the variables in χ operation, one can add restricted constraints to the value of constant bits.…”

“…Then with the conditions set in π (0) as introduced in Sect. 4.1, we can omit the first χ operation and construct the model from A (1) only considering the linear operation π • ρ from A (0) .…”

“…Then applying the inverse of ρ and π, the linear equations are transformed to [1,3]} . (11) With the known value θ (r) {x,x,z} (0 ≤ x ≤ 4, 0 ≤ z ≤ 63) by (10), we add the same known values (underlined) to both sides of (11), which are…”

“…In the meantime, various techniques have been introduced to improve the framework of MitM attack, such as internal state guessing [30], splice-and-cut [2], initial structure [59], bicliques [11], 3-subset MitM [12], indirect-partial matching [2,59], sieve-in-the-middle [15], match-box [32], dissection [24], differential-aided MitM [14,31,41], nonlinear constrained neutral words [28], etc. Till now, the MitM attack and its variants have broken MD4 [34,44], MD5 [59], KeeLoq [39], HAVAL [4,60], GOST [40], GEA-1/2 [1,7], etc.…”

Meet-in-the-Middle Preimage Attacks on Sponge-Based Hashing

Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers

Time-Memory Trade-Offs Sound the Death Knell for GPRS and GSM