Automatic Search of Meet-in-the-Middle Preimage Attacks on AES-like Hashing

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasaki's work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasaki's preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011 introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key schedules are not taken into account, hence the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from key, extra degrees of freedom are gained, which are utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2^120 to 2^112, 2^96, and 2^96 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from key to cancel those from state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2^120 and 2^96. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the attack complexities further. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, this modeling was limited to cryptographic permutations.In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash.

Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011, introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key-schedules are not taken into account. Hence, the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from the key, extra degree of freedom is gained, which is utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2120 to 2104, 296, and 296 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from the key to cancel those from the state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2112 and 296. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the complexity and extend the attack to one more round. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

At ASIACRYPT 2012, Sasaki et al. introduced the guess-and-determine approach to extend the meet-in-the-middle (MITM) preimage attack. At CRYPTO 2021, Dong et al. proposed a technique to derive the solution spaces of nonlinear constrained neutral words in the MITM preimage attack. In this paper, we try to combine these two techniques to further improve the MITM preimage attacks. Based on the previous MILP-based automatic tools for MITM attacks, we introduce new constraints due to the combination of guess-and-determine and nonlinearly constrained neutral words to build a new automatic model.As a proof of work, we apply it to the Russian national standard hash function Streebog, which is also an ISO standard. We find the first 8.5-round preimage attack on Streebog-512 compression function and the first 7.5-round preimage attack on Streebog-256 compression function. In addition, we give the 8.5-round preimage attack on Streebog-512 hash function. Our attacks extend the best previous attacks by one round. We also improve the time complexity of the 7.5-round preimage attack on Streebog-512 hash function and 6.5-round preimage attack on Streebog-256 hash function.

The periodic vehicle routing problem (PVRP) is an extension of the well-known vehicle routing problem. In this paper, the PVRP with time windows and time spread constraints (PVRP-TWTS) is addressed, which arises in the high-value shipment transportation area. In the PVRP-TWTS, period-specific demands of the customers must be delivered by a fleet of heterogeneous capacitated vehicles over the several planning periods. Additionally, the arrival times to a customer should be irregular within its time window over the planning periods, and the waiting time is not allowed for the vehicles due to the security concerns. This study, proposes novel mixed-integer linear programming (MILP) and constraint programming (CP) models for the PVRP-TWTS. Furthermore, we develop several valid inequalities to strengthen the proposed MILP and CP models as well as a lower bound. Even though CP has successful applications for various optimization problems, it is still not as well-known as MILP in the operations research field. This study aims to utilize the effectiveness of CP in solving the PVRP-TWTS. This study presents a CP model for PVRP-TWTS for the first time in the literature to the best of our knowledge. Having a comparison of the CP and MILP models can help in providing a baseline for the problem. We evaluate the performance of the proposed MILP and CP models by modifying the well-known benchmark set from the literature. The extensive computational results show that the CP model performs much better than the MILP model in terms of the solution quality.

Novel MILP and CP models for distributed hybrid flowshop scheduling problem with sequence-dependent setup times

Automated Real-Time Hydropower Scheduling for Lower Colorado River, Texas

Purpose: The main purpose of the paper is to evaluate the impact of diverse personnel policies around personnel promotion in the design of the strategic staff plan for a public university. The strategic staff planning consists in the determination of the size and composition of the workforce for an organization.Design/methodology/approach: The staff planning is solved using a Mixed Integer Linear Programming (MILP) model. The MILP model represents the organizational structure of the university, the personnel categories and capacity decisions, the demand requirements, the required service level and budget restrictions. All these aspects are translated into a set of data, as well as the parameters and constraints building up the mathematical model for optimization. The required data for the model is adopted from a Spanish public university.Findings: The development of appropriate policies for personnel promotion can effectively reduce the number of dismissals while proposing a transition towards different preferable workforce structures in the university.Research limitations/implications: The long term staff plan for the university is solved by the MILP model considering a time horizon of 8 years. For this time horizon, the required input data is derived from current data of the university. Different scenarios are proposed considering different temporal trends for input data, such as in demand and admissible promotional ratios for workers.Originality/value: The literature review reports a lack of formalized procedures for staff planning in universities taking into account, at the same time, the regulations on hiring, dismissals, promotions and the workforce heterogeneity, all considered to optimize workforce size and composition addressing not only an economic criteria, but also the required workforce expertise and the quality in the service offered. This paper adopts a formalized procedure developed by the authors in previous works, and exploits it to assess the impact of various personnel policies in the staff planning for a particular university case, and this is the principal contribution of the paper.

We give some attacks on the DBL hash modes MDC-4 and MJH. Our preimage attack on the MDC-4 hash function requires the time complexity O(23n/2) for the block length n of the underlying block cipher, which significantly improves the previous results. Our collision attack on the MJH hash function has a time complexity less than 2124 for n=128. Our preimage attack on the the MJH compression function finds a preimage with the time complexity of 2n. It is converted to a preimage attack on the hash function with the time complexity of O(23n/2). As far as we know, any cryptanalytic result for MJH has not been published before. Our results are helpful for understanding the security of the hash modes together with their security proofs.

Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.• On RIPEMD. We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2119. It can be converted to a second preimage attack on 47-step hash function with a complexity of 2124.5. Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2113 to 296.• On RIPEMD-128. We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2123. It canl be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2126.5.Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.

The Grostl hash function is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we propose some improved (pseudo) preimage attacks on the Grostl hash function by using some techniques, such as subspace preimage attack and the guess-and-determine technique. We present the improved pseudo preimage attacks on 5-round Grostl-256 hash function and 8-round Grostl-512 hash function, and the complexities of these attacks are (2^(239.90), 2^(240.40)) (in time and memory) and (2^(499.50), 2^(499)), respectively. We also extend the pseudo preimage from 5 rounds to 6 rounds for Grostl-256 hash function, besides the biclique attack. Furthermore, we propose the pseudo second preimage attack on 6-round Grostl-256 hash function. The complexities of our 6-round (pseudo) preimage and second preimage attacks are (2^(253.26), 2^(253.67)) and (2^(251.0), 2^(252.0)), respectively. As far as we know, these are the best known preimage attacks on round-reduced Grostl hash function.

This paper proposes the new hash algorithm HBC-256 (Hash based on Block Cipher) based on the symmetric block cipher of the CF (Compression Function). The algorithm is based on the wipe-pipe construct, a modified version of the Merkle-Damgard construct. To transform the block cipher CF into a one-way compression function, the Davis-Meyer scheme is used, which, according to the results of research, is recognized as a strong and secure scheme for constructing hash functions based on block ciphers. The symmetric CF block cipher algorithm used consists of three transformations (Stage-1, Stage-2, and Stage-3), which include modulo two addition, circular shift, and substitution box (four-bit S-boxes). The four substitution boxes are selected from the “golden” set of S-boxes, which have ideal cryptographic properties. The HBC-256 scheme is designed to strike an effective balance between computational speed and protection against a preimage attack. The CF algorithm uses an AES-like primitive as an internal transformation. The hash image was tested for randomness using the NIST (National Institute of Standards and Technology) statistical test suite, the results were examined for the presence of an avalanche effect in the CF encryption algorithm and the HBC-256 hash algorithm itself. The resistance of HBC-256 to near collisions has been practically tested. Since the classical block cipher key expansion algorithms slow down the hash function, the proposed algorithm is adapted for hardware and software implementation by applying parallel computing. A hashing algorithm was developed that has a sufficiently large freedom to select the sizes of the input blocks and the output hash digest. This will make it possible to create an almost universal hashing algorithm and use it in any cryptographic protocols and electronic digital signature algorithms

Metaheuristics with restart and learning mechanisms for the no-idle flowshop scheduling problem with makespan criterion

Mixed Integer linear programming and constraint programming models for the online printing shop scheduling problem