Results 1 
8 of
8
Cube Attacks on Tweakable Black Box Polynomials
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 2 55 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 2 19 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 2 30 bit operations, and by extrapolating our experimentally verified complexities for various sizes, we have reasons to believe that cube attacks will remain faster than exhaustive search even for 1024 initialization rounds. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds,
How Risky is the RandomOracle Model?
"... Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Be ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the IDbased cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the RabinWilliams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/RabinWilliams, an appropriate PSS padding is more robust than all other paddings known. 1
Decoding one out of many
 PQCrypto 2011. Volume 7071 of LNCS
, 2011
"... Abstract. Generic decoding of linear codes is the best known attack against most codebased cryptosystems. Understanding and measuring the complexity of the best decoding technique is thus necessary to select secure parameters. We consider here the possibility that an attacker has access to many cry ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Generic decoding of linear codes is the best known attack against most codebased cryptosystems. Understanding and measuring the complexity of the best decoding technique is thus necessary to select secure parameters. We consider here the possibility that an attacker has access to many cryptograms and is satisfied by decrypting (i.e. decoding) only one of them. We show that, in many cases of interest in cryptology, a variant of Stern’s collision decoding can be adapted to gain a factor almost √ N when N instances are given. If the attacker has access to an unlimited number of instances, we show that the attack complexity is significantly lower, in fact raised by a power slightly larger than 2/3. Finally we give indications on how to counter those attacks. 1
Cryptanalysis of a Hash Function Based on QuasiCyclic Codes
"... Abstract. At the ECRYPT Hash Workshop 2007, Finiasz, Gaborit, and Sendrier proposed an improved version of a previous provably secure syndromebased hash function. The main innovation of the new design is the use of a quasicyclic code in order to have a shorter description and to lower the memory u ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. At the ECRYPT Hash Workshop 2007, Finiasz, Gaborit, and Sendrier proposed an improved version of a previous provably secure syndromebased hash function. The main innovation of the new design is the use of a quasicyclic code in order to have a shorter description and to lower the memory usage. In this paper, we look at the security implications of using a quasicyclic code. We show that this very rich structure can be used to build a highly efficient attack: with most parameters, our collision attack is faster than the compression function! Key words: hash function, provable security, cryptanalysis, quasicyclic code, syndrome decoding. 1
Syndrome based collision resistant hashing
"... Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not well suited for constrained environments. However, they present an interesting alternative when speed is not the main objective. As always when dealing with provable security, hard problems are involved, and the fast syndromebased cryptographic hash function proposed by Augot, Finiasz and Sendrier at Mycrypt 2005 relies on the problem of Syndrome Decoding, a well known “Post Quantum ” problem from coding theory. In this article we review the different variants and attacks against it so as to clearly point out which choices are secure and which are not.
Improved Generalized Birthday Attack
, 2011
"... Let r, B and w be positive integers. Let C be a linear code of length Bw and subspace of Fr 2. The kregulardecoding problem is to find a nonzero codeword consisting of w lengthB blocks with Hamming weight k. This problem was mainly studied after 2002. Not being able to solve this problem is criti ..."
Abstract
 Add to MetaCart
Let r, B and w be positive integers. Let C be a linear code of length Bw and subspace of Fr 2. The kregulardecoding problem is to find a nonzero codeword consisting of w lengthB blocks with Hamming weight k. This problem was mainly studied after 2002. Not being able to solve this problem is critical for cryptography as it gives a fast attack against FSB, SWIFFT and learning parity with noise. In this paper, the classical methods are used in the same algorithm and improved.
unknown title
, 2013
"... Abstract. In 2007, Gaborit et al. proposed the stream cipher SYND as an improvement of the pseudo random number generator due to Fischer and Stern. This work shows how to improve considerably the efficiency the SYND cipher without using the socalled regular encoding and without compromising the sec ..."
Abstract
 Add to MetaCart
Abstract. In 2007, Gaborit et al. proposed the stream cipher SYND as an improvement of the pseudo random number generator due to Fischer and Stern. This work shows how to improve considerably the efficiency the SYND cipher without using the socalled regular encoding and without compromising the security of the modified SYND stream cipher. Our proposal, called XSYND, uses a generic state transformation which is reducible to the Regular Syndrome Decoding problem (RSD), but has better computational characteristics than the regular encoding. A first implementation shows that XSYND runs much faster than SYND for a comparative security level (being more than three times faster for a security level of 128 bits, and more than 6 times faster for 400bit security), though it is still only half as fast as AES in counter mode. Parallel computation may yet improve the speed of our proposal, and we leave it as future research to improve the efficiency of our implementation.
Cryptographic Hash Functions: Recent Design Trends and Security Notions ∗
"... Recent years have witnessed an exceptional research interest in cryptographic hash functions, especially after the popular attacks against MD5 and SHA1 in 2005. In 2007, the U.S. National Institute of Standards and Technology (NIST) has also significantly boosted this interest by announcing a publi ..."
Abstract
 Add to MetaCart
Recent years have witnessed an exceptional research interest in cryptographic hash functions, especially after the popular attacks against MD5 and SHA1 in 2005. In 2007, the U.S. National Institute of Standards and Technology (NIST) has also significantly boosted this interest by announcing a public competition to select the next hash function standard, to be named SHA3. Not surprisingly, the hash function literature has since been rapidly growing in an extremely fast pace. In this paper, we provide a comprehensive, uptodate discussion of the current state of the art of cryptographic hash functions security and design. We first discuss the various hash functions security properties and notions, then proceed to give an overview of how (and why) hash functions evolved over the years giving raise to the current diverse hash functions design approaches. A short version of this paper is in [1]. This version has been thoroughly extended, revised and updated. This