## Automated Design of Cryptographic Hash Schemes by Evolving Highly-Nonlinear Functions

### Cached

### Download Links

### BibTeX

@MISC{Estevez-tapiador_automateddesign,

author = {Juan M. Estevez-tapiador and Julio C. Hernandez-castro and Pedro Peris-lopez and Arturo Ribagorda},

title = {Automated Design of Cryptographic Hash Schemes by Evolving Highly-Nonlinear Functions},

year = {}

}

### OpenURL

### Abstract

In the last years, a number of serious flaws and vulnerabilities have been found in classic cryptographic hash functions such as MD4 and MD5. More recently, similar attacks have been extended to the widely used SHA-1, to such an extent that nowadays is prudent to switch to schemes such as SHA-256 and Whirlpool. Nevertheless, many cryptographers believe that all the SHA-related schemes could be vulnerable to variants of the same attacks, for all these schemes have been largely influenced by the design of the MD4 hash function. In this paper, we present a general framework for the automated design of cryptographic block ciphers and hash functions by using Genetic Programming. After a characterization of the search space and the fitness function, we evolve highly nonlinear and extremely efficient functions that can be used as the core components of a cryptographic construction. As an example, a new block cipher named Wheedham is proposed. Following the Miyaguchi-Preneel construction, this block cipher is then used as the compression function of a new hash scheme producing digests of 512 bits. We present a security analysis of our proposal and a comparison in terms of performance with the most promising alternatives in the near future: SHA-512 and Whirlpool. The results show that automatically-obtained schemes such as those presented are competitive both in security and speed.

### Citations

2861 |
Genetic Programming: On the Programming of Computers by Means of Natural Selection
- Koza
- 1992
(Show Context)
Citation Context ...make use of a general approach to automatically find appropriate constructions: Genetic Programming. Genetic Programming is a stochastic population-based search method devised in 1992 by John R. Koza =-=[12]-=-. It is inspired in Genetic Algorithms, the main difference with them being the fact that in the later, chromosomes are used for encoding possible solutions to a problem, while GP evolves whole comput... |

608 | Mersenne twister: A 623-dimensionally equidistributed uniform pseudo-random number generator
- Matsumoto, Nishimura
- 1998
(Show Context)
Citation Context ... vectors, and Ek = 8192 * Pr(B(1/2, 32) = k) is the expected value. So the fitness of every individual (key expansion algorithm) is calculated as follows: First, we use the Mersenne Twister generator =-=[18]-=- to generate eight 32-bit random values. Those values are assigned to (a0, a1, a2, a3, a4, a5, a6, a7). The value over this input o0 is stored. Then, we randomly flip one single bit of one of the eigh... |

427 |
cryptanalysis method for DES cipher
- Matsui, Linear
- 1993
(Show Context)
Citation Context ...ch is nonlinear in z32), together with a highly nonlinear operation such as the multiplication mod 2 32 is intended to provide for a good resistance against both differential and linear cryptanalysis =-=[28]-=-. Additionally, other operations such as rotation, are included to give adequate diffusion by extending changes from high significant bits to low significant bits, and viceversa. All in all, after the... |

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...s from high significant bits to low significant bits, and viceversa. All in all, after the proposed 16 rounds, we conjecture that Wheedham is secure against both linear and differential cryptanalysis =-=[29]-=-, so that no attacks significantly faster than exhaustive key search exist. Moreover, the combined use of the proposed operations makes the existence of weaknesses against Mod n cryptanalysis highly u... |

267 | The RC5 Encryption Algorithm
- Rivest
- 1995
(Show Context)
Citation Context ...the code and circuitry required to implement the cryptosystem. Examples of well-known block ciphers based on this structure are: DES [2], FEAL [3], GOST [4], LOKI [5], CAST [6], Blowfish [7], and RC5 =-=[8]-=-, among others.1488 J. M. ESTEVEZ-TAPIADOR, J. C. HERNANDEZ-CASTRO, P. PERIS-LOPEZ AND A. RIBAGORDA Feistel networks gained much popularity after the adoption of DES as an international standard. As ... |

163 | The microarchitecture of the pentium 4 processor
- Sager, Group, et al.
- 2001
(Show Context)
Citation Context ...ions, the multiplication of two 32 bit values could cost up to fifty times more than an xor or an and operation (although this could happen in certain architectures, its nearly a worst case: 14 times =-=[15]-=- seems to be a more common value). In fact, we did not include it at first, but after extensively experimentation, we conclude that its inclusion was beneficial because, apart from improving non-linea... |

140 |
Applied Cryptography, 2nd Ed
- Schneier
- 1996
(Show Context)
Citation Context ... the size of the code and circuitry required to implement the cryptosystem. Examples of well-known block ciphers based on this structure are: DES [2], FEAL [3], GOST [4], LOKI [5], CAST [6], Blowfish =-=[7]-=-, and RC5 [8], among others.1488 J. M. ESTEVEZ-TAPIADOR, J. C. HERNANDEZ-CASTRO, P. PERIS-LOPEZ AND A. RIBAGORDA Feistel networks gained much popularity after the adoption of DES as an international ... |

137 |
Cryptography and computer privacy
- Feistel
- 1973
(Show Context)
Citation Context ...tween 8 and 32 rounds. 2.1.1 Feistel networks A Feistel network is a general structure invented by IBM cryptographer Horst Feistel, who introduced it in 1973 in the design of the block cipher Lucifer =-=[1]-=-. A large number of modern block ciphers are based on Feistel networks due to several reasons. First, the Feistel structure presents the advantage that encryption and decryption are very similar (requ... |

57 |
a Tiny Encryption Algorithm
- Wheeler, Needham, et al.
(Show Context)
Citation Context ...r as constants to operate with. The idea behind this operator was to provide a constant value that, independently from the input, could be used by the operators of the function, and idea suggested by =-=[16]-=-. 3.1.3 Fitness function We have used two different fitness functions for the two main tasks to be accomplished for developing a block cipher following the Feistel scheme: finding a key schedule algor... |

50 | Unbalanced Feistel networks and block cipher design
- Schneier, Kelsey
(Show Context)
Citation Context ...ock cipher strongly secure (i.e. secure against chosen-ciphertext attacks). In a classical Feistel network half of the bits operate on the other half. As pointed out by Bruce Schneier and John Kelsey =-=[11]-=-, there is no inherent reason that this should be so. Despite further works have generalized this basic structure, in this work we will refer exclusively to the classical Feistel scheme. 2.1.2 Constru... |

46 | Cryptography with cellular automata - Wolfram - 1985 |

45 |
Related-key cryptanalysis of 3-WAY
- Kelsey, Schneier, et al.
- 1997
(Show Context)
Citation Context ... more insights on the subject, please refer to the excellent discussion in [33]. Furthermore, the key schedule algorithm has been deliberately chosen to be complex enough to avoid related-key attacks =-=[31]-=- to which algorithms with simpler key schedules are prone. The fact that the proposed key schedule achieves a high degree of avalanche ensures, to a certain extend, that no trivial input differences w... |

43 |
S.: Fast data encipherment algorithm FEAL
- Shimizu, Miyaguchi
- 1987
(Show Context)
Citation Context ...versal of the key schedule), thus minimizing the size of the code and circuitry required to implement the cryptosystem. Examples of well-known block ciphers based on this structure are: DES [2], FEAL =-=[3]-=-, GOST [4], LOKI [5], CAST [6], Blowfish [7], and RC5 [8], among others.1488 J. M. ESTEVEZ-TAPIADOR, J. C. HERNANDEZ-CASTRO, P. PERIS-LOPEZ AND A. RIBAGORDA Feistel networks gained much popularity af... |

41 | Improving resistance to differential cryptanalysis and the redesign of LOKI
- Brown, Kwan, et al.
- 1991
(Show Context)
Citation Context ...hedule), thus minimizing the size of the code and circuitry required to implement the cryptosystem. Examples of well-known block ciphers based on this structure are: DES [2], FEAL [3], GOST [4], LOKI =-=[5]-=-, CAST [6], Blowfish [7], and RC5 [8], among others.1488 J. M. ESTEVEZ-TAPIADOR, J. C. HERNANDEZ-CASTRO, P. PERIS-LOPEZ AND A. RIBAGORDA Feistel networks gained much popularity after the adoption of ... |

40 |
The Strict Avalanche Criterion: Spectral Properties and an Extended Definition
- Forré
- 1990
(Show Context)
Citation Context ...ffect, so it is natural to try to obtain such functions by optimizing the amount of avalanche. In fact, we will use an even more demanding property that has been called the Strict Avalanche Criterion =-=[13]-=- which, in particular, implies the Avalanche Effect, and that could be mathematically described as: ⎛ 1 ⎞ ∀ x, y| H( x, y) = 1, H( F( x), F( y)) ≈ B⎜ , n⎟ ⎝ 2 ⎠ where B denotes a binomial distribution... |

40 |
Key-schedule cryptanalysis of
- Kelsey, Schneier, et al.
- 1996
(Show Context)
Citation Context ...lent nor weak keys exist. In particular, and following the advice presented in the Prudent Rules of Thumb for Key-Schedule Design section in [31], and in the Designing Strong Key Schedules section at =-=[32]-=- (where authors suggest “[…] we recommend that designers maximize avalanche in the subkeys […]”) we have evaded linearity in the design, and we have additionally avoided the generation of independent ... |

31 | Theory and applications of cellular automata in cryptography - Nandi, Kar, et al. - 1994 |

27 |
How to construct pseudorandom permutations and pseudorandom functions
- Luby, Racko
- 1988
(Show Context)
Citation Context ...el networks have been extensively studied and some important theoretical results regarding precise bounds for their security have been obtained. In particular, Michael Luby and Charles Rackoff proved =-=[10]-=- that if the round function F is a cryptographically secure pseudorandom number generator, with Ki (a parameter derived from the key) used as the seed, then 3 rounds is sufficient to make the block ci... |

24 | M.: Designing S-Boxes For Ciphers Resistant To Differential Cryptanalysis (Extended Abstract
- Adams
- 2010
(Show Context)
Citation Context ...hus minimizing the size of the code and circuitry required to implement the cryptosystem. Examples of well-known block ciphers based on this structure are: DES [2], FEAL [3], GOST [4], LOKI [5], CAST =-=[6]-=-, Blowfish [7], and RC5 [8], among others.1488 J. M. ESTEVEZ-TAPIADOR, J. C. HERNANDEZ-CASTRO, P. PERIS-LOPEZ AND A. RIBAGORDA Feistel networks gained much popularity after the adoption of DES as an ... |

24 | modn cryptanalysis, with applications against RC5P and M6
- Kelsey, Schneier, et al.
- 1999
(Show Context)
Citation Context ...of weaknesses against Mod n cryptanalysis highly unlikely, as addition and rotation (two of the most vulnerable operations) are not used alone but together with xor and multiplication, as proposed in =-=[30]-=- (authors claim that both xor and multiplication mod 2 32 are very difficult to approximate mod 3) to increase strength against this kind of attack. The main security drawback of the use of the multip... |

23 |
Some difficult-to-pass tests of randomness
- Marsaglia, Tsang
- 2002
(Show Context)
Citation Context ... E(0,…,0)(Xi), i.e., encrypting the low-entropy input described above with key set to 0. The resulting ciphertext has been analyzed with three batteries of statistical tests, namely ENT [25], Diehard =-=[26]-=-, and NIST [27]. The results obtained are presented in Tables 1 and 2. A similar experiment has been performed by analyzing the hashes obtained after applying MPW-512-R2 to the same inputs. Both propo... |

10 |
Standard 28147-89, "Cryptographic Protection for Data Processing Systems
- GOST
- 1989
(Show Context)
Citation Context ...the key schedule), thus minimizing the size of the code and circuitry required to implement the cryptosystem. Examples of well-known block ciphers based on this structure are: DES [2], FEAL [3], GOST =-=[4]-=-, LOKI [5], CAST [6], Blowfish [7], and RC5 [8], among others.1488 J. M. ESTEVEZ-TAPIADOR, J. C. HERNANDEZ-CASTRO, P. PERIS-LOPEZ AND A. RIBAGORDA Feistel networks gained much popularity after the ad... |

8 | Related-Key Cryptanalysis of 3-WAY, Biham
- Kelsey, Schneier, et al.
- 1997
(Show Context)
Citation Context ... make the key schedule more efficient than the round function, but complex and robust enough to avoid simple relatedkey attacks as those published against ciphers with simple key expansion mechanisms =-=[17]-=-. To achieve this, we used the following fitness function Fitness = mean / χc 2AUTOMATED DESIGN OF CRYPTOGRAPHIC HASHES 1493 where where 2 χ c is a corrected value of χ 2 , which is calculated as fol... |

6 | A cellular automaton based fast one-way hash function suitable for hardware implementation - Mihaljevic, Zheng, et al. |

4 |
The RC6TM Block cipher," v.1.1
- Rivest, Robshaw, et al.
- 1998
(Show Context)
Citation Context ...to maximize. That is the reason why we finally introduced it in the function set. Additionally, there are many other cryptographic primitives that make an extensive use of multiplication, notably RC6 =-=[9]-=-. Similarly, after many experiments, we concluded that the functions vroti and vrotd were interchangeable and that using them at the same time was not necessary nor useful, so we arbitrarily decided t... |

4 | Block cipher based on reversible cellular automata - Seredynski, Bouvry - 2005 |

4 | An improved key stream generator based on the programmable cellular automata - Mihaljevic - 1997 |

3 | A one-way hash function based on a two-dimensional cellular automaton - Hirose, Yoshida - 1997 |

1 |
A statistical test suite for random and psuedorandom number generators for cryptographic application
- Rukhin, Soto, et al.
(Show Context)
Citation Context ...i.e., encrypting the low-entropy input described above with key set to 0. The resulting ciphertext has been analyzed with three batteries of statistical tests, namely ENT [25], Diehard [26], and NIST =-=[27]-=-. The results obtained are presented in Tables 1 and 2. A similar experiment has been performed by analyzing the hashes obtained after applying MPW-512-R2 to the same inputs. Both proposals also passe... |

1 |
Estevez-Tapiador is Associate Professor at the Computer Science Department of Carlos III University of Madrid. He holds a M.Sc. in Computer Science from the University of Granada (2000), where he obtained the Best Student Academic Award, and a Ph.D. in Co
- Bernstein, design
(Show Context)
Citation Context ... the use of the multiplication mod 2 32 operation comes with respect to timing attacks where the input-dependent time used to perform this operation (due to optimizations) could leak some information =-=[33]-=-. Other operations that are usually prone to timing attacks and that we have avoided by construction are datadependent rotations (only fixed-amount rotations are used in Wheedham), and s-box lookups (... |