Fast Software Encryption 2007 1 Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics.

Slides:

Advertisements

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

Advertisements

3- 1 Chapter 3 Introduction to Numerical Methods Second-order polynomial equation: analytical solution (closed-form solution): For many types of problems,

“Advanced Encryption Standard” & “Modes of Operation”

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Digital Signatures and Hash Functions. Digital Signatures.

Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.

1 Nonlinear Control Design for LDIs via Convex Hull Quadratic Lyapunov Functions Tingshu Hu University of Massachusetts, Lowell.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Motion Analysis (contd.) Slides are from RPI Registration Class.

Information Security and Management 11

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Quantum Algorithms II Andrew C. Yao Tsinghua University & Chinese U. of Hong Kong.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

By Hrishikesh Gadre Session I Introduction to EES Department of Mechanical Engineering Louisiana State University Engineering Equation.

AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.

Cryptanalysis. The Speaker  Chuck Easttom  

Yuan Chen Advisor: Professor Paul Cuff. Introduction Goal: Remove reverberation of far-end input from near –end input by forming an estimation of the.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Asymptotic Techniques

HASH Functions.

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.

Merkle-Hellman Knapsack Cryptosystem Merkle offered $100 award for breaking singly - iterated knapsack Singly-iterated Merkle - Hellman KC was broken by.

The Steganographic File System Ross Anderson, Roger Needlham, Adi Shamir Presented by: Pan Meng Presented by: Pan Meng.

AES Background and Mathematics CSCI 5857: Encoding and Encryption.

Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.

TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.

Page 1/15RFIDsec 2006 DESL An Efficient Block Cipher For Lightweight Cryptosystems A. Poschmann, G. Leander, K. Schramm*, C. Paar Ruhr-Universität.

Merkle-Hellman Knapsack Cryptosystem

ESPL 1 Wordlength Optimization with Complexity-and-Distortion Measure and Its Application to Broadband Wireless Demodulator Design Kyungtae Han and Brian.

Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Yaser.

Chapter 11 Message Authentication and Hash Functions.

AES: Rijndael 林志信王偉全. Outline Introduction Mathematical background Specification Motivation for design choice Conclusion Discussion.

Lecture 23 Symmetric Encryption

linear  2.3 Newton’s Method ( Newton-Raphson Method ) 1/12 Chapter 2 Solutions of Equations in One Variable – Newton’s Method Idea: Linearize a nonlinear.

Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy

The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.

Cryptography and Network Security (CS435) Part Nine (Message Authentication)

Error Detection and Correction – Hamming Code

A Ultra-Light Block Cipher KB1 Changhoon Lee Center for Information Security Technologies, Korea University.

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Security. Three tools Hash Function Block Cipher Public Key / Private Key.

The Advanced Encryption Standard Part 2: Mathematical Background

Information Security and Management 11. Cryptographic Hash Functions Chih-Hung Wang Fall

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.

Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Ordinary differential equations

第 3 章神经网络.

Network Security.

Chapter-2 Classical Encryption Techniques.

MD5 A Hash Algorithm….

Network Security.

SOHAIL SHAHUL HAMEED Dr. BHARGAVI GOSWAMI

Seyed Amir Hossain Naseredini

Hash Function Requirements

Advanced Encryption Standard

Simple Hash Functions Network Security.

Presentation transcript:

Fast Software Encryption Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics

Fast Software Encryption Outline Introduction Structure of a collision in P ANAMA Properties of the non-linear function Transferring equations Backtracking cost Producing the collision Conclusion

Fast Software Encryption Structure of P ANAMA Chaining value (CV) Starts from 0 Iterate with input blocks CV size > input block size ( l i ) Do blank iterations Iterate with output blocks Output mapping Collision in the CV → collision Blank iterations make it difficult otherwise

Fast Software Encryption Collision in the chaining value Differential trail input differences CV differences Collision differential trail Initial CV difference = 0 Final CV difference = 0

Fast Software Encryption Inside P ANAMA = state + buffer

Fast Software Encryption Shape of the differential Buffer collisions Atom Rijmen et al. Our attack State injection Five instances of … sub-collisions

Fast Software Encryption Sub-collision in state Two-round differential trail completely determined by 3-block input difference sequence State difference Two differentials over 

Fast Software Encryption P ANAMA’s state updating function ½

Fast Software Encryption Differential over ° a 0 =0 a 1 =1 a 9 =1 a 10 +a 11 =0 a 11 +a 12 =1 a 12 =0

Fast Software Encryption Differential over ° Given differential ( a ', c ' ) Linear conditions on the absolute value a Simple condition (1 bit) or parity conditions (2 bits) Location of conditions only determined by a ' Number of conditions is w(a ' ), weight of a '

Fast Software Encryption Transferring conditions Immediate satisfaction Bridge

Fast Software Encryption Counting conditions and degrees of freedom w(a ' )-8

Fast Software Encryption The backtracking cost w(a')w(a')w(a ' ) max ∑ w(a ' )-8

Fast Software Encryption Bridging

Fast Software Encryption Dependency removal

Fast Software Encryption Producing the collision Choose a differential Least number of conditions to be bridged Work out the equations Immediate satisfaction Bridges Dependencies Finally, it takes 35 input blocks 30 bridges So a total of 65 evaluations of the round function

Fast Software Encryption Conclusion P ANAMA hash function is broken Source file to generate collisions available The way forward: R ADIO G ATÚN Feedback from state to buffer Lower number of input words per round Backtracking cost Ongoing