Improved Preimage Attacks on 4-Round Keccak-224/256

In this paper, we analyze the security of round-reduced versions of the Keccak hash function family. Based on the work pioneered by Aumasson and Meier, and Dinur et al., we formalize and develop a technique named linear structure, which allows linearization of the underlying permutation of Keccak for up to 3 rounds with large number of variable spaces. As a direct application, it extends the best zero-sum distinguishers by 2 rounds without increasing the complexities. We also apply linear structures to preimage attacks against Keccak. By carefully studying the properties of the underlying Sbox, we show bilinear structures and find ways to convert the information on the output bits to linear functions on input bits. These findings, combined with linear structures, lead us to preimage attacks against up to 4-round Keccak with reduced complexities. An interesting feature of such preimage attacks is low complexities for small variants. As extreme examples, we can now find preimages of 3-round SHAKE128 with complexity 1, as well as the first practical solutions to two 3-round instances of Keccak challenge. Both zero-sum distinguishers and preimage attacks are verified by implementations. It is noted that the attacks here are still far from threatening the security of the full 24-round Keccak.

Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011 introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key schedules are not taken into account, hence the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from key, extra degrees of freedom are gained, which are utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2^120 to 2^112, 2^96, and 2^96 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from key to cancel those from state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2^120 and 2^96. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the attack complexities further. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

Recently, linear structures and algebraic attacks have been widely used in preimage attacks on round-reduced Keccak. Inherited by pioneers’ work, we make some improvements for 3-round Keccak-256 and 4-round Keccak[r=640, c=160]. For 3-round Keccak-256, we introduce a three-stage model to deal with the unsatisfied restrictions while bringing more degrees of freedom at the same time. Besides, we show that guessing values for different variables will result in different complexity of solving time. With these techniques, the guessing times can be decreased to 252, and the solving time for each guess can be decreased to around 25.2 3-round Keccak calls. As a result, the complexity of finding a preimage for 3-round Keccak-256 can be decreased to around 257.2. For 4-round Keccak[r=640, c=160], an instance of the Crunchy Contest, we use some techniques to save degrees of freedom and make better linearization. Based on these techniques, we build an MILP model and obtain an attack with better complexity of around 260.9. The results of 3-round Keccak-256 and 4-round Keccak[r=640, c=160] are verified with real examples.

PurposeThis paper aims to develop a dynamic performance model of three-shaft gas turbine for electricity generation and to study a multi-loop control strategy of three-shaft gas turbine for electricity generation.Design/methodology/approachIn this paper, the dynamic performance model of the three-shaft gas turbine is established and developed. A novel approach, variable partial differential coefficient deviation linearization method is used to simulate the dynamic performance of the three-shaft gas turbine. Single-loop control system, feed-forward feedback control system and cascade system are assessed to control the engine during transient operation.FindingsA novel approach, variable partial differential coefficient deviation linearization method is used to simulate the dynamic performance of the three-shaft gas turbine. According to the results shown, the cascade control system is most satisfactory due to its fastest response and the best stability and robustness.Originality/valueThe method of variable partial linearization is adopted to make the dynamic simulation of the model achieve higher precision, better steady state and less computation time. This paper provides a theoretical study for the multi-loop control system of a marine three-shaft gas turbine.

In this study the authors propose a new multivariate hash function with HAsh Iterative FrAmework framework which we call the hash function quadratic polynomials multiplying linear polynomials (QML). The new hash function is made of cubic polynomials which are the products of quadratic polynomials and linear polynomials. The authors design the quadratic-polynomial part of the compression function based on the centre map of the multivariate public key cryptosystem Matsumoto-Imai cryptosystem (MI). The hash function QML can keep the three cryptography properties and be immune to the pre-image attack, second pre-image attack, collision attack, differential attack and algebraic attack. The required memory storage is about 50% of the one which is built of the cubic polynomials and their coefficients are random. On the avalanche effect, by experiments the authors get the result that about one half of the output bits are different when one input bit is changed randomly. The one-round diffusion of the hash function QML is twice of that of Blake. Also the authors simplify the matrixes of the new hash function, analyse the rationality and show the comparable data. Finally, the authors give the advice to the parameters of the new hash function and summarise the paper.

In August 2012, the Stribog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). Stribog employs twelve rounds of an AES-based compression function operating in Miyaguchi-Preneel mode. In this paper, we investigate the preimage resistance of the Stribog hash function. In particular, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of 2448 and memory complexity of 264. Additionally, we adopt a guess and determine approach to obtain a 6-round chunk separation that balances the available degrees of freedom and the guess size. The proposed chunk separation allows us to attack 6 out of 12 rounds with time and memory complexities of 2496 and 2112, respectively. Finally, by employing a multicollision attack, we show that preimages of the 5 and 6-round reduced hash function can be generated with time complexity of 2481 and 2505, respectively. The two preimage attacks have equal memory complexity of 2256.KeywordsCryptanalysisHash functionsMeet in the middlePreimage attackGOST R 34.11-2012Stribog

In the present paper, we propose a hybrid approach for network equilibrium problems. This approach combines the methods of conditional gradient and partial linearization. To apply the hybrid method, the whole set of origin-destination pairs is arbitrarily divided into two parts, for one of them the subproblem of direction finding is solved by the conditional gradient method, for the other, the partial linearization method is used. We propose two variants of the hybrid method with inexact direction finding and adaptive step-size choice.

In this paper, improved preimage attacks are presented on 3‐round Keccak‐256 and Keccak‐512 and 4‐round Keccak‐256 based on algebraic methods. The authors propose some new properties about the components of Keccak permutation, reconsider the existing preimage attacks, and further refine the linearisation processes of quadratic bits to lower the complexities. For 3‐round Keccak‐256 and Keccak‐512, priority is given to values with higher probability for quadratic bits, such that the guessing complexities decrease from slightly more than 265 and 2440 to 264.79 and 2424, respectively. For preimage attack on 4‐round Keccak‐256, some strategies of saving degrees of freedom are applied to solve Boolean multivariate quadratic systems and reduce the guessing complexity from 2196 to 2188.

Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011, introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key-schedules are not taken into account. Hence, the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from the key, extra degree of freedom is gained, which is utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2120 to 2104, 296, and 296 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from the key to cancel those from the state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2112 and 296. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the complexity and extend the attack to one more round. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

In this paper, we propose preimage attacks on step-reduced MD5. We show that a preimage of a 44-step MD5 can be computed to a complexity of 296. We also consider a preimage attack against variants of MD5 where the round order is modified from the real MD5. In such a case, a preimage of a 51-step round-reordered MD5 can be computed to a complexity of 296. Our attack uses “local collisions” of MD5 to create a degree of message freedom. This freedom enables us to match the two 128-bit intermediate values efficiently.

In this paper, we characterize a class of feasible direction methods in nonlinear programming through the concept of partial linearization of the objective function. Based on a feasible point, the objective is replaced by an arbitrary convex and continuously differentiable function, and the error is taken into account by a first-order approximation of it. A new feasible point is defined through a line search with respect to the original objective, toward the solution of the approximate problem. Global convergence results are given for exact and approximate line searches, and possible interpretations are made. We present some instances of the general algorithm and discuss extensions to nondifferentiable programming.

Chaos synchronization of a unified chaotic system via partial linearization

Improved ring oscillator PUF on FPGA and its properties

Multiplicative complexity of vector valued Boolean functions

This paper presents a principle of analog to digital conversion (ADC) based on a current mode circuit without DAC. For example, in this circuit the input value can be converted to a 4 bit output at each moment, and multiple output bit numbers by serial connection. In this current mode, the active current mirror and current comparators control the reference current by adjusting the W/L ratio. Its feasibility agrees with simulation results by the PSPICE program. The circuit design used a CMOS 0.5 /spl mu/m process which is capable of converting 4 bits in 50 ns, with a power consumption of 0.127 mW, input current of 0-100 /spl mu/A and single 3 V supply. From simulation testing, the conversion rate is faster than other methods using the same parameters.