Fast Software Encryption
18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers
Published on 18. June 2011
XII, 417 pages
978-3-642-21702-9 (ISBN)
Description
This book constitutes the thoroughly refereed post-conference proceedings of the 18th International Workshop on Fast Software Encryption, held in Lyngby, Denmark, in February 2011. The 22 revised full papers presented together with 1 invited lecture were carefully reviewed and selected from 106 initial submissions. The papers are organized in topical sections on differential cryptanalysis, hash functions, security and models, stream ciphers, block ciphers and modes, as well as linear and differential cryptanalysis.
More details
Other editions
Additional editions
Antoine Joux
Fast Software Encryption
18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers
Book
06/2011
1st Edition
Springer
€53.49
Shipment within 5-7 days
Content
- Title
- Preface
- Organization
- Table of Contents
- Differential Cryptanalysis
- Differential Cryptanalysis of Round-Reduced PRINTcipher: Computing Roots of Permutations
- Introduction
- A Short Description of PRINTcipher
- Using Differential Cryptanalysis to Recover the Permutation Key
- Optimal Differential Characteristic
- Targeting the xor Key
- Targeting the Linear Layer
- Finding (PRINTcipher)-Roots of a Permutation
- The General Case
- PRINTcipher-Roots
- Experimental Verifications
- Conclusions
- References
- Search for Related-Key Differential Characteristics in DES-Like Ciphers
- Introduction
- Description of DES-Like Block Ciphers
- Automatic Search for Related-Key Differential Characteristics in DES-Like Ciphers
- Matsui's Approach for Single-Key Characteristics
- Applying Matsui's Approach for Related-Key Characteristics
- The Split Approach
- The Case of DES
- The Case of DESL
- The Case of s2DES
- Conclusions
- References
- Multiple Differential Cryptanalysis: Theory and Practice
- Introduction
- Theoretical Framework
- Presentation and Notation
- Time and Memory Complexities
- Theoretical Framework
- Data Complexity and Success Probability
- Application to Known Differential Cryptanalyses
- Experimental Validation
- Description of PRESENT and SMALLPRESENT-[s]
- Experimental Validation of the Obtained Formulas
- On the Estimations of the Probabilities p and p*
- Application to PRESENT
- Conclusions
- References
- Invited Talk
- Fast Correlation Attacks: Methods and Countermeasures
- Introduction
- Correlation Attacks
- Fast Correlation Attacks
- Towards Correlation Immunity
- Combiners with Memory
- Linear Attacks
- Open Problems
- References
- Hash Functions I
- Analysis of Reduced-SHAvite-3-256 v2
- Introduction
- The SHAvite-3-256 Hash Function
- The Block Cipher E256
- The Message Expansion
- Rebound and Super-Sbox Analysis of SHAvite-3-256
- The Cryptanalyst Tool 1: The Truncated Differential Path
- The Cryptanalyst Tool 2: The Freedom Degrees
- Super-Sbox Attacks for Reduced SHAvite-3-256
- Chosen-Related-Salt Distinguishers
- 7-Round Distinguisher with 27 Computations
- 8-Round Distinguisher with 225 Computations
- Conclusion
- References
- An Improved Algebraic Attack on Hamsi-256
- Introduction
- Description of Hamsi-256
- A Direct Attack on Hamsi-256
- The Properties and Weaknesses of Hamsi-256 Which Are Exploited by the Attack
- Analysis of Polynomials of Degree 6 in 32 Variables
- Efficiently Eliminating Wrong Messages
- Improving the Direct Attack by Using Pseudo Preimages
- The Polynomial Analysis Algorithm
- The Query Algorithm
- Post Filtering the Solutions
- Finding a Good Sequence of Analyzed Bits
- Details of the Pseudo Preimage Attack on Hamsi-256
- Using Pseudo Preimages to Obtain Second Preimages for Hamsi-256
- Second Preimages for Longer Messages of Hamsi-256
- Conclusions
- References
- Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function
- Introduction
- Description of ECHO
- Differential Attack for Hash Functions
- Reordering of Transformations in the ECHO Permutation
- Truncated Differential Path
- Finding a Message Pair Conforming to the Differential Path
- Overview of the Attack
- Collision on the 4-Round Compression Function
- Partial Message Pair for the First Subpart
- Finding a Message Pair for the Second Subpart
- Completing the Partial Message Pair of the First Subpart
- Compression Phase in the Feed Forward
- Final Merging Phase
- Conclusion
- References
- Security and Models
- On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model
- Introduction
- Notation and Related-Key Attacks
- A Generic Cipher-Dependent Attack
- RKD Functions with Access to E and E-1
- Interpretations in the Standard Model
- References
- On the Security of Hash Functions Employing Blockcipher Postprocessing
- Introduction
- Preliminaries
- Hash Function with Output Transformation E(x)x
- Computability
- PRO Analysis of a Hash Function with OT E(x)x
- Application of Theorem 1: PRO Analysis of a Variant of Grøstl
- PRO Analysis of Hash Functions with PGV Output Transformations
- PRO Attacks on Hash Functions with Some DBL Output Transformations
- The Case of OT(x)=f(x)||f(xp)
- PRO Attack with OT(x)=Fi(x) for i=8, 12, (Fig. 3)
- Conclusion
- References
- Stream Ciphers
- Breaking Grain-128 with Dynamic Cube Attacks
- Introduction
- Cube Attacks and Cube Testers
- Cube Attacks
- Cube Testers
- A Simple Example of Dynamic Cube Attacks
- Dynamic Cube Attacks on Grain-128
- Description on Grain-128
- Previous Attacks
- Outline of the New Attacks on Grain-128
- Details of the First Attack
- A Partial Simulation Phase
- A Generic Key Recovery Method
- Details of the Second Attack
- Details of the Third Attack
- Discussion
- Generalizing the Attack
- Conclusions and Open Issues
- References
- Cryptanalysis of the Knapsack Generator
- Introduction
- Previous Cryptanalytic Results
- Contribution of This Paper
- Road Map
- Problem Formalization
- A System of Modular Equations
- Weight Approximation Matrices
- Prediction with Approximate Weights
- Finding Good Approximation Matrices
- Description of the Attack and Empirical Results
- Description of the Attack
- Practical Attack for n=32
- Empirical Results for Larger n
- Analysis of the Fast Knapsack Generator
- The Fast Generator over Prime Fields
- The Fast Generator Modulo 2n
- Discussion
- References
- Attack on Broadcast RC4 Revisited
- Introduction
- Bytes 3 to 255 of PRGA are Biased to Zero
- A Class of New Distinguishers
- A Critical Analysis of the Event (zr = 0) Given jr = or =0
- Guessing State Information Using the Bias in zr
- Attacking the RC4 Broadcast Scheme
- Non-randomness of j in PRGA
- Non-randomness of j1
- Non-randomness of j2
- Randomness of jr for r 3
- Conclusion
- References
- Hash Functions II
- Boomerang Attacks on BLAKE-32
- Introduction
- Description of BLAKE32
- Boomerang Attacks on Block Ciphers and Compression Functions
- Round-Reduced Differential Trails in BLAKE-32
- Boomerang Attacks on the Compression Function of BLAKE-32
- Boomerang Attacks on the Keyed Permutation of BLAKE-32
- Conclusions
- References
- Practical Near-Collisions on the Compression Function of BMW
- Introduction
- Compression Function Attacks
- Description of BMW
- Previous Results
- Our Results
- Solving a System of Additions and Xor
- Using Collisions in f0
- Collisions in f0 with Some Words of H Inactive
- Using Partial-Collisions in f0
- Using Near Collisions in AddElement
- Conclusion
- References
- Higher-Order Differential Properties of Keccak and Luffa
- Introduction
- A New Bound on the Degree of Some Iterated Permutations
- Distinguishing Properties Related to the Algebraic Degree
- Higher-Order Derivatives
- Zero-Sum Structures
- Application to the Keccak-f Permutation
- The Keccak-f Permutation
- Zero-Sum Partitions for the Full Keccak-f Permutation
- Application to the Hash Function Luffa
- The Luffa Hash Function
- Algebraic Degree of the Qj Permutation and Its Inverse
- Higher-Order Differentials for the Compression Function of Luffa v2
- Zero-Sum Partitions for the Qj Permutations
- Higher-Order Differentials for the Full Luffa v1 Hash Function
- Degree of the Full Luffa v2 Hash Function with Chosen IVs
- Conclusions
- References
- Block Ciphers and Modes
- Cryptanalysis of PRESENT-Like Ciphers with Secret S-Boxes
- Introduction
- The Cipher
- Principle of the Attack
- Relaxed Truncated Differentials
- The Attack in Practice
- Data Collection Phase
- S-Box Recovery Phase
- Case Study: The Block Cipher Maya
- Model for the Complexity of Recovering Sets De
- Extensions
- Linear Cryptanalysis
- Fully Random PRESENT-Like Ciphers
- Conclusion
- References
- A Single-Key Attack on the Full GOST Block Cipher
- Introduction
- Preliminaries
- Description of GOST
- 3-Subset MITM Attack
- Reflection Attack
- Reflection-Meet-in-the-Middle Attack
- Details of the R-MITM Attack
- Evaluation of the R-MITM Attack
- R-MITM Attack on the Full GOST Block Cipher
- Reflection Property of GOST
- Effective MITM Technique Using Equivalent Keys on Short Rounds
- Evaluation
- Conclusion
- References
- The Software Performance of Authenticated-Encryption Modes
- Introduction
- The Mode OCB3
- Experimental Results
- Proof of Security for OCB3
- Stretch-then-Shift Universal Hash
- The TBC-Based Generalization of OCB3
- Instantiating the TBC
- References
- Linear and Differential Cryptanalysis
- Cryptanalysis of Hummingbird-1
- Introduction
- Description of Hummingbird-1
- Notation and Parameters
- The 16-Bit Permutation E
- Initialization
- The Encryption Function
- Building an Attack
- An Iterative Differential
- Attacking K(1)
- Attacking K(4)
- Attacking K(3)
- Attacking K(2)
- Discussion
- Implementing the Attack
- Lessons Learned
- Conclusions
- References
- The Additive Differential Probability of ARX
- Introduction
- Definition of adp$\ll$
- Computation of adp$\bigoplus$ Using S-Functions
- Definition of adp$ARX$
- Computation of adp$ARX$
- The Initial State
- The Final State
- A Special Intermediate State
- Computing adp$ARX$
- Proof of Correctness
- Experiments
- Conclusions
- References
- Linear Approximations of Addition Modulo 2n-1
- Introduction
- Preliminaries
- Linear Approximation and Its Correlation
- Linear Approximations of the Addition Modulo 2n
- Some Properties on Linear Approximations of the Addition Modulo 2n-1
- Addition of Two Inputs in F2n-1
- Addition of More than Two Inputs in F2n-1
- More Properties of Linear Approximations of the Addition Modulo 2n-1 with Two Inputs
- The Limit of cor(1
- 1k) for the Addition in F2n-1 when n
- Conclusion
- References
- Hash Functions III
- Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool
- Introduction
- Specifications
- Previous Work
- Meet-in-the-Middle Preimage Attacks
- Previous Analysis on AES
- Basic Idea of Our Attack and Techniques for Extension
- Basic Attack for 4-Round AES
- Techniques for Attacking More Rounds
- Preimage Attack against 7-Round AES
- Discussion
- Concluding Remarks
- References
- Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes
- Introduction
- Preliminaries
- Previous and Related Work
- Basic Notions
- Rebound-Attack Technique
- New Known-Key Attacks on Feistel Ciphers
- Basic 9R Attack on the Feistel Ciphers
- Extended 11R Attack on the Feistel Ciphers
- ``Shrunken'' 9R Attack: Case (N,c)=(64,8)
- Application to MMO and Miyaguchi-Preneel Modes
- Eleven-Round Half-Collision Attack
- Nine-Round Full-Collision Attack
- Nine-Round Near-Collision Attack: Case (N,c)=(64,8)
- Seven-Round Full-Collision Attack: Case (N,c)=(64,8)
- Generality of Our Known-Key Distinguishers
- When S-Boxes Are Biased
- When P Is Not an MDS Matrix
- When 2c&r
- Conclusion
- References
- Author Index
