Preimage Attacks on the Round-reduced Keccak with Cross-linear Structures

In this paper, based on the work pioneered by Aumasson and Meier, Dinur et al., and Guo et al., we construct some new delicate structures from the roundreduced versions of Keccakhash function family. The new constructed structures are called cross-linear structures, because linear polynomials appear across in different equations of these structures. And we apply cross-linear structures to do preimage attacks on some instances of the round-reduced Keccak. There are three main contributions in this paper. First, we construct a kind of cross-linear structures by setting the statuses carefully. With these cross-linear structures, guessing the value of one linear polynomial could lead to three linear equations (including the guessed one). Second, for some special cases, e.g. the 3-round Keccakchallenge instance Keccak[r=240, c=160, nr=3], a more special kind of cross-linear structures is constructed, and these structures can be used to obtain seven linear equations (including the guessed) if the values of two linear polynomials are guessed. Third, as applications of the cross-linear structures, we practically found a preimage for the 3-round KeccakChallenge instance Keccak[r=240, c=160, nr=3]. Besides, by constructing similar cross-linear structures, the complexity of the preimage attack on 3-round Keccak-256/SHA3-256/SHAKE256 can be lowered to 2150/2151/2153 operations, while the previous best known result on Keccak-256 is 2192.

The Grostl hash function is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we propose some improved (pseudo) preimage attacks on the Grostl hash function by using some techniques, such as subspace preimage attack and the guess-and-determine technique. We present the improved pseudo preimage attacks on 5-round Grostl-256 hash function and 8-round Grostl-512 hash function, and the complexities of these attacks are (2^(239.90), 2^(240.40)) (in time and memory) and (2^(499.50), 2^(499)), respectively. We also extend the pseudo preimage from 5 rounds to 6 rounds for Grostl-256 hash function, besides the biclique attack. Furthermore, we propose the pseudo second preimage attack on 6-round Grostl-256 hash function. The complexities of our 6-round (pseudo) preimage and second preimage attacks are (2^(253.26), 2^(253.67)) and (2^(251.0), 2^(252.0)), respectively. As far as we know, these are the best known preimage attacks on round-reduced Grostl hash function.

In this paper, we present new preimage attacks on KECCAK-384 and KECCAK-512 for 2, 3 and 4 rounds. The attacks are based on non-linear structures (structures that contain quadratic terms). These structures were studied by Guo et al. [13] and Li et al. [18, 19] to give preimage attacks on round reduced KECCAK. We carefully construct non-linear structures such that the quadratic terms are not spread across the whole state. This allows us to create more linear equations between the variables and hash values, leading to better preimage attacks. As a result, we present the best theoretical preimage attack on KECCAK-384 and KECCAK-512 for 2 and 3-rounds and also KECCAK-384 for 4-rounds.

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasaki's work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasaki's preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

Cube-attack-like cryptanalysis on round-reduced Keccak was proposed by Dinur et al. at EUROCRYPT 2015. It recovers the key through two phases: the preprocessing phase for precomputing a look-up table and online phase for querying the output and getting the cube sum with which the right key can be retrieved by looking up the precomputed table. It was shown that such attacks are efficient specifically for Keccak-based constructions with small nonce or message block size. In this paper, we provide a mixed integer linear programming (MILP) model for cubeattack- like cryptanalysis on keyed Keccak, which does not impose any unnecessary constraint on cube variables and finds almost optimal cubes by balancing the two phases of cube-attack-like cryptanalysis. Our model is applied to Ketje Jr, Ketje Sr, a Xoodoo-based authenticated encryption and Keccak-MAC-512, all of which have a relatively small nonce or message block size. As a result, time complexities of 5-round attacks on Ketje Jr and 7-round attacks on Ketje Sr can be improved significantly. Meanwhile, 6-round attacks, one more round than the previous best attack, are possible if the key size of Ketje V1 (V2) is reduced to 72 (80) bits. For Xoodoo-based AE in Ketje style, the attack reaches 6 rounds. Additionally, a 7-round attack of Keccak-MAC-512 is achieved. To verify the correctness of our attacks, a 5-round attack on Ketje V1 is implemented and tested practically. It is noted that this work does not threaten the security of any Keccak-based construction.

Objective To establish Z-scores reference ranges for fetal atrial volume in normal fetuses for accurate assessment of fetal cardiac structure and function. Methods Two hundred ninty-three normal fetuses with gestational ages between 18 to 38 weeks were investigated.Biparietal diameter (BPD), femur length (FL) and gestational age (GA) were measured.Left atrial volume (LAV) and right atrial volume (RAV) were obtained using echocardiographic Xplane imaging. Subsequently, the optimal regression equation was established with BPD, FL and GA as the independent variable and LAV and RAV as the dependent variable, and then Z-scores of LAV and RAV were calculated. Results The linear regression equation of LAV and FL was Y=0.056×FL-1.791 (r=0.952); the linear regression equation of RAV and FL was Y=0.057×FL-1.833 (r=0.942); the linear regression equation of LAV and BPD was Y=0.046×BPD-2.289 (r=0.910); the linear regression equation of RAV and BPD was Y=0.047×BPD-2.348 (r=0.903); the linear regression equation of LAV and GA was Y=0.122×GA-2.403 (r=0.952); the linear regression equation of RAV and GA was Y=0.125×GA-2.456 (r=0.942). There was significant heteroscedasticity of standard deviation (SD) with increasing independent variables, then weighted regression of absolute residuals was used in order to minimize the effect of heteroscedasticity, and the linear regression equation was established. The linear regression equation of LAV-SD and FL was Y=0.005×FL-0.119 (r=0.272); the linear regression equation of RAV-SD and FL was Y=0.005×FL-0.104 (r=0.240); the linear regression equation of LAV-SD and BPD was Y=0.00375×BPD-0.125 (r=0.210); the linear regression equation of RAV-SD and BPD was Y=0.00375×BPD-0.10875 (r=0.192); the linear regression equation of LAV-SD and GA is Y=0.0125×GA-0.21125 (r=0.346); the linear regression equation of RAV-SD and GA was Y=0.0125×GA-0.20875 (r=0.308). According to these equations, the Z-score calculation formula for LAV was (measured LAV-predicted LAV from BPD, FL and GA)/SD of predicted LAV; Z-score calculation formula for RAV was (measured RAV-predicted RAV from BPD, FL and GA)/SD of predicted RAV. Conclusions Fetal Z-scores references for the LAV and RAV can be established using common fetal biometrical parameters (including FL, BPD and GA utilizing statistical methods based on a large sample size). This enhances accurate assessment of growth and development of fetal cardiac structures, and provides novel insights for the determination of fetal atrial volume in fetuses with congenital heart disease. Key words: Echocardiography; Left atrial volume; Right atrial volume; Z-score; Xplane

At FSE 2008, Leurent introduced the preimage attack on MD4 by exploiting differential trails. In this paper, we apply the differential-aided preimage attack to Keccak with the message modification techniques. Instead of directly finding the preimage, we exploit differential characteristics to modify the messages, so that the differences of their hashing values and the changes of given target can be controlled. By adding some constraints, a trail can be used to change one bit at a time and reduce the time complexity by a factor of 2. When the number of rounds increases, we introduce two-stage modification techniques to satisfy part of constraints as well. In order to solve other constraints, we also combine the linear-structure technique and accordingly give a preimage attack on 5-round Keccak[$r=1440,c=160,l=80$].

Parallel Computing in Optimization.

Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011 introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key schedules are not taken into account, hence the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from key, extra degrees of freedom are gained, which are utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2^120 to 2^112, 2^96, and 2^96 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from key to cancel those from state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2^120 and 2^96. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the attack complexities further. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

The aim of this monograph is to present the author’s contribution to the fields of designing vector and parallel algorithms for solving problems based on linear recurrence computations and optimizing such software for modern vector and parallel computer architectures. In the first chapter, we give a concise overview of the fundamentals of of modern computer architectures, performance analysis and methods for vector parallel programming. We also define the problem of solving linear recurrence systems and present some basic results which can be found in the literature. Chapter 2 describes the use of the Level 1 BLAS operation AXPY as a key to efficient vectorization of m-th order linear recurrence systems with constant coefficients. Applying the Hockney-Jesshope model of vector computations, we present the performance analysis of the algorithm. We also consider the influence of memory bank conflicts. The theoretical analysis is supported by the experimental results collected on two vector supercomputers manufactured by Cray. The aim of Chapter 3 is to present a new efficient BLAS-based algorithm for solving linear recurrence systems with constant coefficients, which can be easily and efficiently implemented on shared memory machines. The algorithm is based on Level 3 and Level 2 BLAS routines GEMM, GEMV and TRMV, which are crucial for its efficiency. The results of experiments performed on a various shared memory computers are also presented and discussed. The can be efficiently implemented on high performance message passing parallel and vector computers and clusters of workstations. In Chapter 4 we analyze the performance of the algorithm using two well known models: BSP and Hockney-Jesshope. Finally, we present the results of experiments performed of a Cray X1 and two different clusters running under Linux. The aim of the chapters 5, 6 and 7 is to show that the introduced algorithms for solving linear recurrence systems can be applied for solving a number of problems which arise in scientific computing. In Chapter 5 we introduce a new BLAS-based algorithm for narrow-banded triangular Toeplitz matrix-vector multiplication and show how to evaluate linear recursive filters efficiently on distributed memory parallel computers. We apply the BSP model of parallel computing to predict the behavior of the algorithm and to find the optimal values of the method’s parameters. The results of experiments performed on a cluster of twelve dual-processor Itanium 2 computers and Cray X1 are also presented and discussed. The algorithm allows to utilize up to 30% of the peak performance of 24 Itanium processors, while a simple scalar algorithm can only utilize about 4% of the peak performance of a single processor. Next, we show that the performance of the algorithm for evaluating linear recursive filters can be increased by using new generalized data structures for dense matrices introduced by F. G. Gustavson. The results of experiments performed on Intel Itanium 2, Cray X1 and dual-processor Quad-Core Xeon are also presented and discussed. In Chapter 6 we introduce a new high performance divide and conquer algorithm for finding trigonometric sums which can be applied to improve the performance of the Talbot’s method for the numerical inversion of the Laplace Transform on modern computer architectures including shared memory parallel computers. We also show how to vectorize the first stage of the Talbot’s method, namely computing all coefficients of the trigonometric sums used by the method. Numerical tests show that the improved method gives the same accuracy as the standard algorithm and it allows to utilize parallel processors. In Chapter 7 we show hot to apply our algorithms for polynomial evaluation. Finally, Chapter 8 presents the new data distribution of triangular matrices that provides steady distribution of blocks among processes and reduces memory wasting in comparison with the standard block-cyclic data layout that is used in the ScaLAPACK library for dense matrix computations. The new algorithm for solving triangular systems of linear equations is also introduced. The results of experiments performed on a cluster of Itanium 2 processors and Cray X1 show that in some cases, the new method is faster than corresponding PBLAS routines PSTRSV and PSTRSM.

Open flows, such as wakes, jets, separation bubbles, mixing layers, boundary layers, etc., develop in domains where fluid particles are continuously advected downstream. They are encountered in a wide variety of situations, ranging from nature to technology. Such configurations are characterised by the development of strong instabilities resulting in observable unsteady dynamics. They can be categorised as oscillators which present intrinsic dynamics through self-sustained oscillations, or as amplifiers, which exhibit a strong sensitivity to external disturbances through extrinsic dynamics. Over the years, different linear and nonlinear approaches have been adopted to describe the dynamics of oscillators and amplifiers. However, a simplified physical description that accurately accounts for the nonlinear saturation of instabilities in oscillators as well as that of the response to disturbances in stable amplifier flows is still missing. In this thesis, this question is addressed by introducing a self-consistent semi-linear model. The model is formally constructed by a set of equations where the mean flow is coupled to a linear perturbation equation through the Reynolds stress. The full nonlinear fluctuating motion is thus approximated by a linear equation. The nonlinear dynamics of oscillators is studied in the cylinder wake, where the most unstable eigenmode of finite amplitude is coupled to the instantaneous mean flow for different oscillation amplitudes. This family of solutions provides an instantaneous mean flow evolution as a function of an equivalent slow time. A transient physical picture is formalised, wherein a harmonic perturbation grows and changes the amplitude, frequency, growth-rate and structure due to the modification of the instantaneous mean flow by the Reynolds stress forcing. Eventually this perturbation saturates when the flow is marginally stable. In contrast to standard linear stability analysis around the mean flow, the iterative solution of the model provides a priori an accurate prediction of the instantaneous amplitude, frequency and growth rate, as well as the flow fields, without resorting to any input from numerical or experimental data. Regarding noise amplifiers, the nonlinear saturation of the large linear amplification to external disturbances is studied in the framework of the receptivity analysis of the backward facing step flow. The self-consistent model is first introduced for harmonic forcing and later generalised to stochastic forcing by reformulating it conveniently in frequency domain. The results show an accurate prediction of the response energy as well as the flow fields. Hence, a similar picture is revealed, wherein the Reynolds stress dominates the saturation process. Despite the difference in the dynamics of the described flows, they share the same nonlinear saturation mechanism: the mean flow distortion.

Recently, linear structures and algebraic attacks have been widely used in preimage attacks on round-reduced Keccak. Inherited by pioneers’ work, we make some improvements for 3-round Keccak-256 and 4-round Keccak[r=640, c=160]. For 3-round Keccak-256, we introduce a three-stage model to deal with the unsatisfied restrictions while bringing more degrees of freedom at the same time. Besides, we show that guessing values for different variables will result in different complexity of solving time. With these techniques, the guessing times can be decreased to 252, and the solving time for each guess can be decreased to around 25.2 3-round Keccak calls. As a result, the complexity of finding a preimage for 3-round Keccak-256 can be decreased to around 257.2. For 4-round Keccak[r=640, c=160], an instance of the Crunchy Contest, we use some techniques to save degrees of freedom and make better linearization. Based on these techniques, we build an MILP model and obtain an attack with better complexity of around 260.9. The results of 3-round Keccak-256 and 4-round Keccak[r=640, c=160] are verified with real examples.

Since Keccak was selected as the SHA-3 standard, both its hash mode and keyed mode have attracted lots of third-party cryptanalysis. Especially in recent years, there is progress in analyzing the collision resistance and preimage resistance of round-reduced Keccak. However, for the preimage attacks on round-reduced Keccak-384/512, we found that the linear relations leaked by the hash value are not well exploited when utilizing the current linear structures. To make full use of the \(320+64\times 2=448\) and 320 linear relations leaked by the hash value of Keccak-512 and Keccak-384, respectively, we propose a dedicated algebraic attack by expressing the output as a quadratic boolean equation system in terms of the input. Such a quadratic boolean equation system can be efficiently solved with linearization techniques. Consequently, we successfully improved the preimage attacks on 2/3/4 rounds of Keccak-384 and 2/3 rounds of Keccak-512.

In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST’s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-\(f\)[1600] permutation — the main building block of Keccak hash function.

In recent years much attention has been extended in the study of differential equations of non-classical types. These articles need, on one hand, fluid mechanics, hydro-and gas dynamics and other applied disciplines, and on the other hand, the actual needs of the mathematical sciences. One of the most important classes of equations of non-classical type is the third-order equation with multiple characteristics which is a generalization of linear Korteweg-de Vries-Burgers equation, special cases which occur in the dissemination of waves in weakly dispersive media, the propagation of waves in a cold plasma, magneto-hydrodynamics, problems of nonlinear acoustics, the hydrodynamic theory of space plasma. A pioneering work in the theory of odd order partial differential equations with multiple characteristics was done by E.Del Vecchio, H.Block, in which they studied the technique of constructing fundamental solutions of these equations. Consequently, the theory of equations with multiple characteristics has been greatly developed by the Italian mathematician L.Cattabriga. In the first part of Ph.D thesis we develop and study boundary value problems for third-order equations with multiple characteristics in areas with curved boundaries, as well as some properties of the fundamental solutions of the equations, when the transition line is a curve. In addition, we construct a solution of the Cauchy problem in the classes of functions growing at infinity, depending on the behaviour of the right-hand side of the equation. Our thesis explores both linear and nonlinear boundary value problems for linear and non-linear third-order equation with multiple characteristics in the domain with curved boundaries. The main result of the first chapter is to prove the unique solvability of the general boundary value problem for the third-order equation with multiple characteristics in curved domains. The proof of the uniqueness theorem of the solution, we use the method of energy integrals. For the existence theorem, we find equivalent systems of Volterra second type integral equations. The next chapter consists of three sections and it investigates the problem with nonlinear boundary conditions for linear and non-linear equations of the third order with multiple characteristics. To prove the existence and uniqueness theorems, we will use methods of integral energy and theory of integral equations. In the last part of the thesis we analyze basic properties of pseudodifferential operators, such as the behaviour of products and adjoins of such operators, their continuity on L^2, L^p and Sobolev spaces. In the thesis we study the L^p - boundedness of vector weighted pseudodifferential operators with symbols which have derivatives with respect to x only up to order k, in the Holder continuous sense