Exploiting output bits and the $$\chi $$ operation in MitM preimage attacks on Keccak

Arithmetization-Oriented hash functions are optimized for their verification to be efficiently implemented within various proof systems, but they are often too slow when evaluated on a regular machine. To solve this problem for some specific protocols, some recent proposals introduced a new type of operations: the Split- And-Lookup. The idea in this case is to “split” prime field elements into smaller integers, e.g. by simply considering their binary representations, and then applying a permutation on each such integer before rebuilding a field element from them. Such operations are fast to evaluate, and of a very high degree in the field, which hopefully implies a high resistance against algebraic attacks.In this paper, we investigate the security offered by such components using two distinct approaches. First, we provide a detailed analysis of the cryptographic properties of the Split-And-Lookup construction. In particular, we present technique to efficiently compute its Fourier coefficients and linear approximation probabilities, and use them to show linear approximations of the S-boxes of Skyscraper, Monolith, Tip5, and Reinforced Concrete with surprisingly high probabilities. We also present our own S-boxes that could be used as a drop-in replacement for those of Monolith and Tip5, and would provide enhanced security and performances in some contexts. Finally, we turn our attention to the primitives themselves, and present a freestart partial preimage attack on a version of Tip5 reduced to four out of five rounds, where the attacker is allowed to control only one word in the initialization vector. This can be turned into a collision attack against a four-round version of Tip5 with a capacity reduced to 320 bits out of 384, though it should still provide the same security level as the original hash function. Despite the high degree of the Split-And- Lookup construction, we use an algebraic attack that essentially goes “around” these components.While these results do not directly threaten the security of full-round primitives, they further the understanding of the cryptographic properties of these new operations, and of the actual impact they have on the security against various attacks.

Internal differential structure: preimage attacks on up to 5-round Keccak

Ascon, a family of algorithms that supports hashing and authenticated encryption, is the winner of the NIST Lightweight Cryptography Project. In this paper, we propose an improved preimage attack against 2-round Ascon-XOF-64 with a complexity of 233 via a more effective guessing strategy. Furthermore, we successfully extend our preimage attack on 2-round Ascon-XOF-64 to 2-round Ascon-XOF-128, achieving a complexity of 297, which is currently the best preimage attack against 2-round Ascon-XOF-128. Apart from the preimage attack, we also investigate the resistance of Ascon-HASH against collision attacks. To be specific, we introduce the linearization of the inverse of S-boxes and then propose a free-start collision attack on 3-round Ascon-HASH with a complexity of 214 using a differential trail searched dedicatedly. In addition, we construct different 2-round connectors using the linearization of the inverse of S-boxes and successfully extend the collision attack to 4 rounds and 5 rounds of Ascon-HASH with complexities of 218 and 241, respectively. Although our attacks do not compromise the security of the full 12-round Ascon-XOF and Ascon-HASH, they provide some insights into Ascon’s security.

Recently, linear structures and algebraic attacks have been widely used in preimage attacks on round-reduced Keccak. Inherited by pioneers’ work, we make some improvements for 3-round Keccak-256 and 4-round Keccak[r=640, c=160]. For 3-round Keccak-256, we introduce a three-stage model to deal with the unsatisfied restrictions while bringing more degrees of freedom at the same time. Besides, we show that guessing values for different variables will result in different complexity of solving time. With these techniques, the guessing times can be decreased to 252, and the solving time for each guess can be decreased to around 25.2 3-round Keccak calls. As a result, the complexity of finding a preimage for 3-round Keccak-256 can be decreased to around 257.2. For 4-round Keccak[r=640, c=160], an instance of the Crunchy Contest, we use some techniques to save degrees of freedom and make better linearization. Based on these techniques, we build an MILP model and obtain an attack with better complexity of around 260.9. The results of 3-round Keccak-256 and 4-round Keccak[r=640, c=160] are verified with real examples.

This note presents attacks on the lightweight hash function TS-Hash proposed by Tsaban, including a polynomial-time preimage attack for short messages (at most n / 2 bits), high-probability differentials, a general subexponential-time preimage attack, and linearization techniques.

This paper examines the design of cryptographic hash functions beyond popular SHA algorithms with an eye to overcoming their drawbacks in the context of the new quantum computing threats. As quantum computing is introduced, known cryptographic algorithms, such as hash functions based on the SHA, are at a high risk of being broken because they are susceptible to quantum algorithms such as the Shors. This study is intended to create collision-resistant, quantum-resilient hash functions that can be used to ensure security in a post-quantum world. Some approaches offered in the study include: adaptation of hash functions to post-quantum models of cryptography, and the effectiveness of these functions in withstanding collision and pre-image attack. Among other important insights, it is evident that although quantum-resistant hash functions are promising, more development is required to achieve security, efficiency, and scalability. These findings have significant consequences to the future of secure cryptographic protocols, implying that the transition to quantum-resistant cryptography will be a key factor in protecting the integrity and confidentiality of data in the quantum world.

The security of digital communication and information systems is mostly dependent on block ciphers. ARX-based ciphers are widely used due to their simplicity and efficiency. This paper provides an exhaustive cryptanalysis of a subset of ARX-based block ciphers, with particular emphasis on SIMON, SPECK, and IDEA. These ciphers need to be exposed for their weaknesses in algebraic attack resistance and cryptographic properties such as key sensitivity. In addition, we assess the resource utilization and speed of these ciphers, both of which are critical for practical implementation. SMT (Satisfiability Modulo Theories) framework is utilized to tackle constraint fulfillment problems based on first-order logic. The following cryptographic steps use SMT solvers: differential cryptanalysis, collision attack, pre-image attack, modular root-finding, and cryptographic primitive verification. We show that SMT solvers can solve block cipher cryptanalysis constraints. In a cryptanalytic attack, we convert block cipher boolean equations to Z3py. The proposed cryptanalysis method evaluates ARX cipher performance. This method recovers the partial secret key using plaintext and ciphertext pairs, partial key bits, and a predetermined number of rounds. To determine whether SIMON, SPECK, or IDEA are appropriate for distinct security requirements, we conducted a comparative analysis of the results and presented them in tabulated form. This research builds a better understanding of ARX-based block ciphers and allows us to develop more robust and efficient cryptographic algorithms to protect sensitive data in modern communication systems.

Over the years, a number of biometric template protection schemes, often based on the notion of “cancelable biometrics”, have been proposed. An ideal cancelable biometric algorithm complies with four criteria: irreversibility, revocability, unlinkability, and performance preservation. Cancelable biometrics employs an irreversible but distance preserving transformation to convert the original biometric templates into protected templates. Matching in the transform domain can be accomplished due to the property of distance preservation. However, distance preservation also entails security issues, a point often overlooked in existing research. In this paper, we have conducted a comprehensive security analysis of distance preservation in cancelable biometrics for the first time. The analysis is based on a pre-image attack, which is launched to break the security of cancelable biometrics under Kerckhoffs’s assumption. Furthermore, we propose a general security analysis framework under the single and cross-transformation attacks, which also employs an information leakage estimation strategy based on mutual information as a complement. The experimental results performed on real face, iris, and fingerprint data demonstrate that the risks originating from the matching scores computed from the distance/similarity of two cancelable templates greatly compromise the security of cancelable biometric schemes, including the classic Biohashing, Index-of-max hashing, Non-linear multi-dimensional spectral hashing, Indexing-First-One hashing, Bloom Filter and Two-factor Protected Minutia Cylinder-Code. The security versus accuracy trade-off is discussed and recommendations for designing a biometric system secure against pre-image attacks are also proposed. The source code is available at github.com/biometricsecurity/CBrisks.

Preimage attacks on reduced-round Ascon-Xof

Partial pre-image attack on Proof-of-Work based blockchains

The Nostradamus attack was originally proposed as a security vulnerability for a hash function by Kelsey and Kohno at EUROCRYPT 2006. It requires the attacker to commit to a hash value y of an iterated hash function H. Subsequently, upon being provided with a message prefix P, the adversary’s task is to identify a suffix S such that H(P∥S) equals y. Kelsey and Kohno demonstrated a herding attack requiring O(√n · 22n/3) evaluations of the compression function of H, where n represents the output and state size of the hash, placing this attack between preimage attacks and collision searches in terms of complexity. At ASIACRYPT 2022, Benedikt et al. transform Kelsey and Kohno’s attack into a quantum variant, decreasing the time complexity from O(√n · 22n/3) to O( 3√n · 23n/7). At ToSC 2023, Zhang et al. proposed the first dedicated Nostradamus attack on AES-like hashing in both classical and quantum settings. In this paper, we have made revisions to the multi-target technique incorporated into the meet-in-the-middle automatic search framework. This modification leads to a decrease in time complexity during the online linking phase, effectively reducing the overall attack time complexity in both classical and quantum scenarios. Specifically, we can achieve more rounds in the classical setting and reduce the time complexity for the same round in the quantum setting.

The exclusive‐or (XOR) hash combiner is a classical hash function combiner, which is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In this work, we analyze the second preimage resistance of the XOR combiner underlying two different narrow‐pipe hash functions with weak ideal compression functions. To control simultaneously the behavior of the two different hash functions, we develop a new structure called multicollision‐and‐double‐diamond. Multicollision‐and‐double‐diamond structure is constructed using the idea of meet‐in‐the‐middle technique, combined with Joux’s multicollision and Chen’s inverse‐diamond structure. Then based on the multicollision‐and‐double‐diamond structure, we present a second preimage attack on the XOR hash combiner with the time complexity of about O ((2 n + 1)2 n /2 + ( n − l )2 n − l + ( n − k )2 n − k + 2 l +1 + 2 k +1 ) ( n is the size of the XOR hash combiner and l and k are respectively the depths of the two inverse‐diamond structures), less than the ideal time complexity O (2 n ), and memory of about O (2 k + 2 l ).

Ascon is the final winner of the lightweight cryptography standardization competition (2018 − 2023). In this paper, we focus on preimage attacks against round-reduced Ascon. The preimage attack framework, utilizing the linear structure with the allocating model, was initially proposed by Guo et al. at ASIACRYPT 2016 and subsequently improved by Li et al. at EUROCRYPT 2019, demonstrating high effectiveness in breaking the preimage resistance of Keccak. In this paper, we extend this preimage attack framework to Ascon from two aspects. Firstly, we propose a linearize-and-guess approach by analyzing the algebraic properties of the Ascon permutation. As a result, the complexity of finding a preimage for 2-round Ascon-Xof with a 64-bit hash value can be significantly reduced from 239 guesses to 227.56 guesses. To support the effectiveness of our approach, we find an actual preimage of all ‘0’ hash in practical time. Secondly, we develop a SAT-based automatic preimage attack framework using the linearize-and-guess approach, which is efficient to search for the optimal structures exhaustively. Consequently, we present the best theoretical preimage attacks on 3-round and 4-round Ascon-Xof so far.

The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, this modeling was limited to cryptographic permutations.In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash.

Recent findings confirm that biometric templates derived from electroencephalography (EEG) signals contain sensitive information about registered users, such as age, gender, cognitive ability, mental status and health information. Existing privacy-preserving methods such as hash function and fuzzy commitment are not cancelable, where raw biometric features are vulnerable to hill-climbing attacks. To address this issue, we propose the PolyCosGraph, a system based on <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poly</b> nomial transformation embedding <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Cos</b> ine functions with <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Graph</b> features of EEG signals, which is a privacy-preserving and cancelable template design that protects EEG features and system security against multiple attacks. In addition, a template corrupting process is designed to further enhance the security of the system, and a corresponding matching algorithm is developed. Even when the transformed template is compromised, attackers cannot retrieve raw EEG features and the compromised template can be revoked. The proposed system achieves the authentication performance of 1.49% EER with a resting state protocol, 0.68% EER with a motor imagery task, and 0.46% EER under a watching movie condition, which is equivalent to that in the non-encrypted domain. Security analysis demonstrates that our system is resistant to attacks via record multiplicity, preimage attacks, hill-climbing attacks, second attacks and brute force attacks.

The rise of modern cryptographic protocols such as Zero-Knowledge proofs and secure Multi-party Computation has led to an increased demand for a new class of symmetric primitives. Unlike traditional platforms such as servers, microcontrollers, and desktop computers, these primitives are designed to be implemented in arithmetical circuits. In terms of security evaluation, arithmetization-oriented primitives are more complex compared to traditional symmetric cryptographic primitives. The arithmetization-oriented permutation Grendel employs the Legendre Symbol to increase the growth of algebraic degrees in its nonlinear layer. To analyze the security of Grendel thoroughly, it is crucial to investigate its resilience against algebraic attacks. This paper presents a preimage attack on the sponge hash function instantiated with the complete rounds of the Grendel permutation, employing algebraic methods. A technique is introduced that enables the elimination of two complete rounds of substitution permutation networks (SPN) in the sponge hash function without significant additional cost. This method can be combined with univariate root-finding techniques and Gröbner basis attacks to break the number of rounds claimed by the designers. By employing this strategy, our attack achieves a gain of two additional rounds compared to the previous state-of-the-art attack. With no compromise to its security margin, this approach deepens our understanding of the design and analysis of such cryptographic primitives.

At EUROCRYPT 2006, Kelsey and Kohno proposed the so-called chosen target forced-prefix (CTFP) preimage attack, where for any challenge prefix P, the attacker can generate a suffix S such that H(P∥S) = y for some hash value y published in advance by the attacker. Consequently, the attacker can pretend to predict some event represented by P she did not know before, and thus this type of attack is also known as the Nostradamus attack. At ASIACRYPT 2022, Benedikt et al. convert Kelsey et al.’s attack to a quantum one, reducing the time complexity from O(√n · 22n/3) to O( 3√n · 23n/7). CTFP preimage attack is less investigated in the literature than (second-)preimage and collision attacks and lacks dedicated methods. In this paper, we propose the first dedicated Nostradamus attack based on the meet-in-the-middle (MITM) attack, and the MITM Nostradamus attack could be up to quadratically accelerated in the quantum setting. According to the recent works on MITM preimage attacks on AES-like hashing, we build an automatic tool to search for optimal MITM Nostradamus attacks and model the tradeoff between the offline and online phases. We apply our method to AES-MMO and Whirlpool, and obtain the first dedicated attack on round-reduced version of these hash functions. Our method and automatic tool are applicable to other AES-like hashings.

Allocating rotational cryptanalysis-based preimage attack on 4-round Keccak-224 for quantum setting

Guest Editorial: Selected papers from the 24th International Conference on Information Security and Cryptology (ICISC 2021)