Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak

This paper provides an improved preimage attack method on standard 4-round Keccak-224/256. The method is based on the work pioneered by Li and Sun, who design a linear structure of 2-round Keccak-224/256 with 194 degrees of freedom left. By partially linearizing 17 output bits through the last 2 rounds, they finally reach a complexity of 2207/2239 for searching a 4-round preimage. Yet under their strategy, those 17 bits are regarded as independent bits and the linearization costs a great amount of freedom. Inspired by their thoughts, we improve the partial linearization method where multiple output bits can reuse some common degrees of freedom. As a result, the complexity of preimage attack on 4-round Keccak-224/256 can be decreased to 2192/2218, which are both the best known theoretical preimage cryptanalysis so far. To support the theoretical analysis, we apply our strategy to a 64-bit partial preimage attack within practical complexity. It is remarkable that this partial linearization method can be directly applied if a better linear structure with more freedom left is proposed.

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasaki's work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasaki's preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

In this study the authors propose a new multivariate hash function with HAsh Iterative FrAmework framework which we call the hash function quadratic polynomials multiplying linear polynomials (QML). The new hash function is made of cubic polynomials which are the products of quadratic polynomials and linear polynomials. The authors design the quadratic-polynomial part of the compression function based on the centre map of the multivariate public key cryptosystem Matsumoto-Imai cryptosystem (MI). The hash function QML can keep the three cryptography properties and be immune to the pre-image attack, second pre-image attack, collision attack, differential attack and algebraic attack. The required memory storage is about 50% of the one which is built of the cubic polynomials and their coefficients are random. On the avalanche effect, by experiments the authors get the result that about one half of the output bits are different when one input bit is changed randomly. The one-round diffusion of the hash function QML is twice of that of Blake. Also the authors simplify the matrixes of the new hash function, analyse the rationality and show the comparable data. Finally, the authors give the advice to the parameters of the new hash function and summarise the paper.

The Grostl hash function is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we propose some improved (pseudo) preimage attacks on the Grostl hash function by using some techniques, such as subspace preimage attack and the guess-and-determine technique. We present the improved pseudo preimage attacks on 5-round Grostl-256 hash function and 8-round Grostl-512 hash function, and the complexities of these attacks are (2^(239.90), 2^(240.40)) (in time and memory) and (2^(499.50), 2^(499)), respectively. We also extend the pseudo preimage from 5 rounds to 6 rounds for Grostl-256 hash function, besides the biclique attack. Furthermore, we propose the pseudo second preimage attack on 6-round Grostl-256 hash function. The complexities of our 6-round (pseudo) preimage and second preimage attacks are (2^(253.26), 2^(253.67)) and (2^(251.0), 2^(252.0)), respectively. As far as we know, these are the best known preimage attacks on round-reduced Grostl hash function.

In this paper, we present improved preimage attacks on the reduced-round GOST hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the Meet-in-the-Middle preimage attack and the multicollisions. Firstly, the preimage attack on 5-round GOST-256 is proposed which is the first preimage attack for GOST-256 at the hash function level. Then we extend the (previous) attacks on 5-round GOST-256 and 6-round GOST-512 to 6.5 and 7.5 rounds respectively by exploiting the involution property of the GOST transposition operation.Secondly, inspired by the preimage attack on GOST-256, we also study the impacts of four representative truncation patterns on the resistance of the Meet-in-the-Middle preimage attack against AES-like compression functions, and propose two stronger truncation patterns which make it more difficult to launch this type of attack. Based on our investigations, we are able to slightly improve the previous pseudo preimage attacks on reduced-round Grøstl-256.KeywordsHash functionCryptanalysisPreimage GOST Grøstl-256 The Meet-in-the-Middle preimage attackTruncation patterns

We propose a new lightweight BCH code corrector of the random number generator such that the bitwise dependence of the output value is controllable. The proposed corrector is applicable to a lightweight environment and the degree of dependence among the output bits of the corrector is adjustable depending on the bias of the input bits. Hitherto, most correctors using a linear code are studied on the direction of reducing the bias among the output bits, where the biased input bits are independent. On the other hand, the output bits of a linear code corrector are inherently not independent even though the input bits are independent. However, there are no results dealing with the independence of the output bits. The well-known von Neumann corrector has an inefficient compression rate and the length of output bits is nondeterministic. Since the heavy cryptographic algorithms are used in the NIST’s conditioning component to reduce the bias of input bits, it is not appropriate in a lightweight environment. Thus we have concentrated on the linear code corrector and obtained the lightweight BCH code corrector with measurable dependence among the output bits as well as the bias. Moreover, we provide some simulations to examine our results.

At ASIACRYPT 2012, Sasaki et al. introduced the guess-and-determine approach to extend the meet-in-the-middle (MITM) preimage attack. At CRYPTO 2021, Dong et al. proposed a technique to derive the solution spaces of nonlinear constrained neutral words in the MITM preimage attack. In this paper, we try to combine these two techniques to further improve the MITM preimage attacks. Based on the previous MILP-based automatic tools for MITM attacks, we introduce new constraints due to the combination of guess-and-determine and nonlinearly constrained neutral words to build a new automatic model.As a proof of work, we apply it to the Russian national standard hash function Streebog, which is also an ISO standard. We find the first 8.5-round preimage attack on Streebog-512 compression function and the first 7.5-round preimage attack on Streebog-256 compression function. In addition, we give the 8.5-round preimage attack on Streebog-512 hash function. Our attacks extend the best previous attacks by one round. We also improve the time complexity of the 7.5-round preimage attack on Streebog-512 hash function and 6.5-round preimage attack on Streebog-256 hash function.

Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damgard hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online phases. In this paper, we present new second preimage attacks on the dithered Merkle-Damgard construction. These attacks consume significantly less memory in the online phase (with a negligible increase in the online time complexity) than previous attacks. For example, in the case of MD5 with the Keranen sequence, we reduce the memory complexity from about \(2^{51}\) blocks to about \(2^{26.7}\) blocks (about 545 MB). We also present an essentially memoryless variant of Andreeva et al. attack. In case of MD5-Keranen or SHA1-Keranen, the offline and online memory complexity is \(2^{15.2}\) message blocks (about 188–235 KB), at the expense of increasing the offline time complexity.

We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the Merkle-Damgard construction with only slightly more work than the previously known attack, but allow enormously more control of the contents of the second preimage found. Additionally, we show that our new attack applies to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest [25], Shoup's UOWHF[26] and the ROX hash construction [2].We analyze the properties of the dithering sequence used in [25], and develop a time-memory tradeoff which allows us to apply our second preimage attack to a wide range of dithering sequences, including sequences which are much stronger than those in Rivest's proposals. Finally, we show that both the existing second preimage attacks [8,16] and our new attack can be applied even more efficiently to multiple target messages; in general, given a set of many target messages with a total of 2R message blocks, these second preimage attacks can find a second preimage for one of those target messages with no more work than would be necessary to find a second preimage for a single target message of 2R message blocks.

Reversible logic can provide lower switching energy costs relative to all irreversible logic, including those developed by industry in semiconductor circuits, however, more research is needed to understand what is possible. Superconducting logic, an exemplary platform for both irreversible and reversible logic, uses flux quanta to represent bits, and the reversible implementation may switch state with low energy dissipation relative to the energy of a flux quantum. Here we simulate reversible shift register gates that are ballistic: their operation is powered by the input bits alone. A storage loop is added relative to previous gates as a key innovation, which bestows an asynchronous property to the gate such that input bits can arrive at different times as long as their order is clearly preserved. The shift register represents bit states by flux polarity, both in the stored bit as well as the ballistic input and output bits. Its operation consists of the elastic swapping of flux between the stored and the moving bit. This is related to a famous irreversible shift register, developed prior to the advent of superconducting flux quanta logic (which used irreversible gates). In the base design of our ballistic shift register (BSR) there is one 1-input and 1-output port, but we find that we can make other asynchronous ballistic gates by extension. The gate constitutes the first asynchronous reversible 2-input gate. Finally, for a better insight into the dynamics, we introduce a collective coordinate model. We find that the gate can be described as motion in two coordinates subject to a potential determined by the input bit and initial stored flux quantum. Aside from the favorable asynchronous feature, the gate is considered practical in the context of energy efficiency, parameter margins, logical depth, and speed.

Recently, linear structures and algebraic attacks have been widely used in preimage attacks on round-reduced Keccak. Inherited by pioneers’ work, we make some improvements for 3-round Keccak-256 and 4-round Keccak[r=640, c=160]. For 3-round Keccak-256, we introduce a three-stage model to deal with the unsatisfied restrictions while bringing more degrees of freedom at the same time. Besides, we show that guessing values for different variables will result in different complexity of solving time. With these techniques, the guessing times can be decreased to 252, and the solving time for each guess can be decreased to around 25.2 3-round Keccak calls. As a result, the complexity of finding a preimage for 3-round Keccak-256 can be decreased to around 257.2. For 4-round Keccak[r=640, c=160], an instance of the Crunchy Contest, we use some techniques to save degrees of freedom and make better linearization. Based on these techniques, we build an MILP model and obtain an attack with better complexity of around 260.9. The results of 3-round Keccak-256 and 4-round Keccak[r=640, c=160] are verified with real examples.

In this paper, we present new preimage attacks on KECCAK-384 and KECCAK-512 for 2, 3 and 4 rounds. The attacks are based on non-linear structures (structures that contain quadratic terms). These structures were studied by Guo et al. [13] and Li et al. [18, 19] to give preimage attacks on round reduced KECCAK. We carefully construct non-linear structures such that the quadratic terms are not spread across the whole state. This allows us to create more linear equations between the variables and hash values, leading to better preimage attacks. As a result, we present the best theoretical preimage attack on KECCAK-384 and KECCAK-512 for 2 and 3-rounds and also KECCAK-384 for 4-rounds.

In this paper, we present a new technique to construct a collision attack from a particular preimage attack which is called a partial target preimage attack. Since most of the recent meet-in-the-middle preimage attacks can be regarded as the partial target preimage attack, a collision attack is derived from the meet-in-the-middle preimage attack. By using our technique, pseudo collisions of the 43-step reduced SHA-256 and the 46-step reduced SHA-512 can be obtained with complexities of 2126 and 2254.5, respectively. As far as we know, our results are the best pseudo collision attacks on both SHA-256 and SHA-512 in literature. Moreover, we show that our pseudo collision attacks can be extended to 52 and 57 steps of SHA-256 and SHA-512, respectively, by combined with the recent preimage attacks on SHA-2 by bicliques. Furthermore, since the proposed technique is quite simple, it can be directly applied to other hash functions. We apply our algorithm to several hash functions including Skein and BLAKE, which are the SHA-3 finalists. We present not only the best pseudo collision attacks on SHA-2 family, but also a new insight of relation between a meet-in-the-middle preimage attack and a pseudo collision attack.

The hash function RIPEMD-160 is a worldwide ISO/IEC standard and the hash function HAS-160 is the Korean hash standard and is widely used in Korea. On the basis of differential meet-in-the-middle attack and biclique technique, a preimage attack on 34-step RIPEMD-160 with message padding and a pseudo-preimage attack on 71-step HAS-160 without message padding are proposed. The former is the first preimage attack from the first step, the latter increases the best pseudo-preimage attack from the first step by 5 steps. Furthermore, we locate the linear spaces in another message words and exchange the bicliques construction process and the mask vector search process. A preimage attack on 35-step RIPEMD-160 and a preimage attack on 71-step HAS-160 are presented. Both of the attacks are from the intermediate step and satisfy the message padding. They improve the best preimage attacks from the intermediate step on step-reduced RIPEMD-160 and HAS-160 by 4 and 3 steps respectively. As far as we know, they are the best preimage and pseudo-preimage attacks on step-reduced RIPEMD-160 and HAS-160 respectively in terms of number of steps.

Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.• On RIPEMD. We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2119. It can be converted to a second preimage attack on 47-step hash function with a complexity of 2124.5. Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2113 to 296.• On RIPEMD-128. We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2123. It canl be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2126.5.Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.