Donghoon Chang’s research while affiliated with Indraprastha Institute of Information Technology Delhi and other places

The Sparkle permutation family is used as an underlying building block of the authenticated encryption scheme Schwaemm, and the hash function Esch which are a part of one of finalists in the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. In this paper, we present distinguishing attacks on 6-round Sparkle384 and 7-round Sparkle512. We used divide-and-conquer approach and the fact that Sparkle permutations are keyless, as a different approach from designers' long trail strategy. Our attack on Sparkle384 requires much lower time complexity than existing best one; our attack on Sparkle512 is best in terms of the number of attacked rounds, as far as we know. However, our results do not controvert the security claim of Sparkle designers.

Committing security of authenticated encryption schemes is an emerging area and an active field of research and is highly motivated by real-world scenarios. CMT-4 security of authenticated encryption scheme is a security notion, where an adversary must create two distinct tuples, each containing a key, a nonce, an associated data and a message for the encryption sub-routine of the authenticated encryption scheme, such that outputs produced by the encryption sub-routine for the two tuples are the same. In this paper, we analyze CMT-4 security of four tweakable wide block cipher schemes HBSH, HCTR2, double-decker and docked-double-decker under encode-then-encipher paradigm by prepending zeros, and present CMT-4 attacks with O (1) time complexity for all the four schemes. We introduce the notion of tweakable stream cipher (tS in short) with the property of partial collision resistance, and use it to create four new tweakable wide block cipher schemes: HBtSH, HtS, tS-double-decker and tS-docked-double-decker. These four proposed schemes can be used to create a CMT-4 secure authenticated encryption scheme with the property of partial collision under encode-then-encipher paradigm. Further, we provide security proof with partial collision resistance for the four proposed schemes against a CMT-4 adversary.

The widespread deployment of low-power and handheld devices opens an opportunity to design lightweight authenticated encryption schemes. The schemes so proposed must also prove their resilience under various security notions. Romulus-N1 is an authenticated encryption scheme with associated data based on a tweakable blockcipher, a primary variant of Romulus-N family which is National Institute of Standards and Technology (NIST) lightweight cryptography competition finalist; provides beyond birthday bound security for integrity security in nonce respecting scenario but fails to provide the integrity security in nonce misuse and release of unverified plaintext (RUP) scenarios. In this article, we propose lynx, a family with 14 members of 1-pass and rate-1 lightweight authenticated encryption schemes with associated data based on a tweakable blockcipher, that provides birthday bound security for integrity security in both nonce respecting as well as nonce misuse and RUP scenarios and birthday bound security for privacy in nonce respecting scenario. For creating such a family of schemes, we propose a family of functions called $\mathcal {F}$ , that provides a total of 72 cases out of which we show that only 14 of them can be used for creating authenticated encryption schemes. We provide the implementation of one of the members of lynx family on four different hardware platforms and compare it with Romulus-N1. The comparison clearly shows that the lynx member outperforms Romulus-N1 on all the four platforms.

Biometric security is a prominent research area with growing privacy and security concerns related to biometric data, generally known as biometric templates. Among the recently proposed biometric template protection schemes, fuzzy commitment is the most popular and reliable. It uses error correcting codes to deal with the significant number of bit errors present in the biometric templates. The high error correcting capability of the underlying error correcting codes is crucial to achieving the desired recognition performance in the biometric system. In general, it is satisfied by padding the input biometric template with some additional bits. The fixed padding approaches proposed in the literature have security vulnerabilities that could disclose the user’s biometric data to the attacker, leading to an impersonation attack. We propose a user-specific, random padding scheme that preserves the recognition performance of the system while it prevents the impersonation attack. The empirical results show that the proposed scheme provides 3 times better recognition performance on the IIT Delhi iris database than the baseline, unprotected systems. Through security analysis, we show that the attack complexity of our proposed work is $2^{k}$, where k is the length of the secret message used to generate codeword, with $k \ge 128$ bits.KeywordsFuzzy commitmentError correcting codesBit paddingBiometric securityAuthenticationBCH Codes

With the rapid advancements in digital technologies and the exponential growth of digital artifacts, automated filtering of cybercrime data for digital investigation from a variety of resources has become the need of the hour. Many techniques primarily based on the “Approximate Matching” approach have been proposed in the literature to address this challenging task. In the year 2019, Chang et al. proposed one such algorithm - FbHash: A New Similarity Hashing Scheme for Digital Forensics that was shown to produce the best correlation results compared to other existing techniques and also resist active adversary attack, unlike others. However, no performance analysis of the tool was given. In this work, we show that the current design structure of FbHash is slower and memory intensive compared to its peers. We then propose a novel Bloom filter based efficient version, i.e., FbHash-E that has a much lower memory footprint and is computationally faster compared to FbHash. While the speed of FbHash-E is comparable to other state-of-the-art tools, it is resistant (like its predecessor) to “intentional/intelligent modifications that can fool the tool” attacks, unlike its peers. Our version thus renders FbHash-E fit for practical use-cases. We perform various modification tests to evaluate the security and correctness of FbHash-E. Our experiment results show that our scheme is secure against active attacks and detects similarity with 87% accuracy. Compared to FbHash, there is only 3% drop in accuracy results. We demonstrate the sensitivity and robustness of our proposed scheme by performing a variety of containment and resemblance tests. We show that FbHash-E can correlate files with up to 10% random-noise with 100% detection rate and is able to detect commonality as small as 1% between the two documents with an appropriate similarity score. We also show that our proposed scheme performs best to identify similarities between different versions of software or program files. We also introduce a new test, i.e., consistency test, and exhibit that our tool produces consistent results across all files under a fixed category with very low standard deviation, unlike other tools where standard deviation under a fixed test varies significantly. This shows that our tool is more robust and stable against different modifications.

In Conference on Cryptographic Hardware and Embedded System 2017, Bernstein et al. proposed gimli, a 384‐bit permutation with 24 rounds, which aims to provide high performance on various platforms. In 2019, the full‐round (24 rounds) gimli permutation was used as an underlying primitive for building AEAD gimli‐cipher and hash function gimli‐hash, which were submitted to the NIST Lightweight Cryptography Standardisation process and selected as one of the second‐round candidates. In Transactions on Symmetric Cryptology 2021, Liu et al. presented a preimage attack with a divide‐and‐conquer method on round‐reduced gimli‐hash, which uses 5‐round gimli. In this paper, preimage attacks on a round‐reduced variant of gimli‐hash is presented, in which the message absorbing phase uses 5‐round gimli and the squeezing phase uses 9‐round gimli. This variant is called as 5–9‐round gimli‐hash. The authors’ preimage attack on 5–9‐round gimli‐hash requires 296.44 time complexity and 2⁹⁷ memory complexity. Also, this method can be reached up to round shifted 10‐round gimli in the squeezing phase. The authors’ first attack requires the memory for storing several precomputation tables in gimli SP‐box operations. In the authors’ second attack, a time‐memory trade‐off approach is taken, reducing memory requirements for precomputation tables but increasing computing time for solving SP‐box equations by using SAT solver. This attack requires 266.17 memory complexity and 296+ϵ time complexity, where ϵ is a time complexity for solving SP‐box equations. The authors’ experiments using CryptoMiniSat SAT solver show that the maximum time complexity for ϵ is about 220.57 9‐round gimli.

Ascon family is one of the finalists of the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. The family includes three Authenticated Encryption with Associated Data (AEAD) schemes: Ascon-128 (primary), Ascon-128a, and Ascon-80pq. In this paper, we study the resistance of the Ascon family against conditional cube attacks in nonce-misuse setting, and present new state– and key–recovery attacks. Our attack recovers the full state information and the secret key of Ascon-128a using 7-round Ascon-permutation for the encryption phase, with 2 ¹¹⁷ data and 2 ^116.2 time. This is the best known attack result for Ascon-128a as far as we know. We also show that the partial state information of Ascon-128 can be recovered with 2 ^44.8 data. Finally, by assuming that the full state information of Ascon-80pq was recovered by Baudrin et al.’s attack, we show that the 160-bit secret key of Ascon-80pq can be recovered with 2 ¹²⁸ time. Although our attacks do not invalidate designers’ claim, those allow us to understand the security of Ascon in nonce-misuse setting.

In CHES 2017, Bernstein et al. proposed Gimli, a 384-bit permutation with 24 rounds, which aims to provide high performance on various platforms. In 2019, the full-round (24 rounds) Gimli permutation was used as an underlying primitive for building AEAD Gimli-Cipher and hash function Gimli-Hash. They were submitted to the NIST Lightweight Cryptography Standardization process and selected as one of the second-round candidates. In ToSC 2021, Liu et al. presented a preimage attack with a divide-and-conquer method on round-reduced Gimli-Hash, which uses 5-round Gimli. In this paper, we present preimage attacks on a round-reduced variant of Gimli-Hash, in which the message absorbing phase uses 5-round Gimli and the squeezing phase uses 9-round Gimli. We call this variant as 5-9-round Gimli-Hash. Our first preimage attack on 5-9-round Gimli-Hash requires $2^{96.44}$ time complexity and $2^{97}$ memory complexity. This attack requires the memory for storing several precomputation tables in Gimli SP-box operations. In our second preimage attack, we take a time-memory trade-off approach, reducing memory requirements for precomputation tables but increasing computing time for solving SP-box equations by SAT solver. This attack requires $2^{66.17}$ memory complexity and $2^{96+\epsilon }$ time complexity, where $\epsilon$ is a time complexity for solving SP-box equations. Our experiments using CryptoMiniSat SAT solver show that the maximum time complexity for $\epsilon$ is about $2^{20.57}$ 9-round Gimli.KeywordsHash functionPreimage attack Gimli Gimli-Hash

Biometric cryptosystems or biocryptoystems are gaining prominence for cryptographic key generation, encryption and biometric template protection. However, the most popular state-of-the-art biocryptosystems- fuzzy commitment and fuzzy vault are prone to multiple security attacks. Recently proposed multi-biometric cryptosystems improve security and enhance recognition performance. They perform the fusion of multi-biometric characteristics with either a single biocryptosystem or independently accessed, multiple biocryptosystems. An attack on any of the involved biocryptosystems can weaken the security of the whole system. In our paper, we propose a multi-biometric fusion framework- BIOFUSE, that combines fuzzy commitment and fuzzy vault using the format-preserving encryption scheme. BIOFUSE makes it improbable for an attacker to get unauthorized access to the system without impersonation of all the biometric inputs of the genuine user at the same instant. We present 4 most basic ways of constructing BIOFUSE and found only 1 named S-BIOFUSE (S3) as a secure design. We compare the recognition performance of the proposed scheme with existing multi-biometric cryptosystems on various databases. The results show 0.98 true match rate at 0.01 false match rate on a virtual IITD-DB1 database that indicates that our proposed work achieves significantly good recognition performance while providing high security.

The widespread deployment of multi-biometrics to authenticate users prompts the need for biometric systems with high recognition performance. Further, the biometric data, once leaked or stolen, remains compromised forever. Hence biometric security is of utmost importance. Existing biometric template protection schemes either degrade the recognition performance or they have issues with security and speed. We propose a cancelable multi-biometric authentication approach where a novel bit-wise encryption scheme transforms a biometric template to a protected template using a secret key generated from another biometric template. It fully preserves the number of bit-errors in the original and the protected template to ensure recognition performance equivalent to the performance of the unprotected systems. We introduce Algorithm I and Algorithm II for bit-wise encryption; both are defined over cryptographic-primitives- block cipher based encryption and keyed-hash function. We profile these algorithms on various hardware architectures to calculate the efficiency in terms of the time taken during enrolment and authentication phase. For Algorithm II , we observe that a 3.3 GHz desktop architecture takes about 18 milliseconds on an average of over 200 runs to authenticate a user. Additionally, we provide mathematical proof to show that the proposed scheme guarantees secrecy and irreversibility. The results of comparisons with the existing biometric template protection schemes on the various face and iris databases show that the proposed work provides significantly good recognition performance and efficiency, while it achieves high security. Finally, the bit-wise encryption scheme can be built over the commercial-off-the-shelf systems to achieve security with equivalent high performance.