Michael Gorski’s research while affiliated with Bauhaus-Universität Weimar and other places

The block cipher MARS has been designed by a team from IBM and became one of the five finalists for the AES. A unique feature is the usage of two entirely different round function types. The ”wrapper rounds” are unkeyed, while the key schedule for the ”core rounds” is a slow and complex one, much more demanding then, e.g., the key schedule for the AES. Each core round employs a 62-bit round key. The best attack published so far [KKS00] was applicable to 11 core rounds, and succeeded in recovering some 163 round key bits. But neither did it deal with inverting the key schedule, nor did it provide any other means to recover the remaining 519 round key bits in usage. Our attack applies to 12 core rounds, needs 2252 operations, 265 chosen plaintexts and 269 memory cells. After recovering a limited number of cipher key bits, we deal with the inverse key-schedule to recover the original encryption key. This allows the attacker to easily generate all the round keys in the full.

ARIA [5] is a block cipher proposed at ICISC’03. Its design is very similar to the Advanced Encryption Standard (AES). The authors propose that on 32-bit processors, the encryption speed is at least 70% of that of the AES. It is claimed to offer a higher security level than AES. In this paper we present three new attacks of reduced round ARIA which shows some weaknesses of the cipher. Moreover, our attacks have the lowest memory complexity compared to existing attacks on ARIA.

We give collision resistance bounds for blockcipher based, double-call, double-length hash functions using (k,n)-bit blockciphers with k > n. Özen and Stam recently proposed a framework [21] for such hash functions that use 3n-to-2n-bit compression functions and two parallel calls to two independent blockciphers with 2n-bit key and n-bit block size. We take their analysis one step further. We first relax the requirement of two distinct and independent blockciphers. We then extend this framework and also allow to use the ciphertext of the first call to the blockcipher as an input to the second call of the blockcipher. As far as we know, our extended framework currently covers any double-length, double-call blockcipher based hash function known in literature using a (2n,n)-bit blockcipher as, e.g., Abreast-DM, Tandem-DM [15], Cyclic-DM[9] and Hirose’s FSE’06 proposal [13]. Our generic analysis gives a simpler proof as in the FSE’09 analysis of Tandem-DM by also tightening the security bound. The collision resistance bound for Cyclic-DM given in [9] diminishes with an increasing cycle length c. We improve this bound for cycle lengths larger than 26.

At Crypto 2005, Coron et al. introduced a formalism to study the presence or absence of structural flaws in iterated hash functions. If one cannot differentiate a hash function using ideal primitives from a random oracle, it is considered structurally sound, while the ability to differentiate it from a random oracle indicates a structural weakness. This model was devised as a tool to see subtle real world weaknesses while in the random oracle world. In this paper we take in a practical point of view. We show, using well known examples like NMAC and the Mix-Compress-Mix (MCM) construction, how we can prove a hash construction secure and insecure at the same time in the indifferentiability setting. These constructions do not differ in their implementation but only on an abstract level. Naturally, this gives rise to the question what to conclude for the implemented hash function. Our results cast doubts about the notion of “indifferentiability from a random oracle” to be a mandatory, practically relevant criterion (as e.g., proposed by Knudsen [17] for the SHA-3 competition) to separate good hash structures from bad ones.

In this paper we present TWISTER<SUB align=right>π, a framework for hash functions. It is an improved version of TWISTER, a candidate of the NIST SHA-3 hash function competition. TWISTER<SUB align=right>π is built upon the ideas of wide pipe and sponge functions. The core of this framework is a - very easy to analyse - Twister-Round providing both extremely fast diffusion as well as collision-freeness for one internal Twister-Round. The total security level is claimed to be not below 2<SUP align=right>n/2</SUP> for collision attacks and 2<SUP align=right>n</SUP> for (2nd) pre-image attacks. TWISTER<SUB align=right>π instantiations are secure against all known generic attacks. We also propose two instances TWISTER<SUB align=right>π-n for hash output sizes n = 256 and n = 512. These instantiations are highly optimised for 64-bit architectures and run very fast in hardware and software, e.g TWISTER<SUB align=right>π-256 is faster than SHA2-256 on 64-bit platforms and TWISTER<SUB align=right>π-512 is faster than SHA2-512 on 32-bit platforms. Furthermore, TWISTER<SUB align=right>π scales very well on low-end platforms.

In this paper we investigate the security of the encryption mode of the HAS-160 hash function. HAS-160 is a Korean hash standard which is widely used in Korean industry. The structure of HAS-160 is similar to SHA-1 besides some modifications. In this paper, we present the first cryptographic attack that breaks the encryption mode of the full 80-round HAS-160. SHACAL-1 and the encryption mode of HAS-160 are both blockciphers with key size 512 bits and plain-/ciphertext size of 160 bits. We apply a key recovery attack that needs about 2155 chosen plaintexts and 2377.5 80-round HAS-160 encryptions. The attack does not aim for a collision, preimage or 2nd-preimage attack, but it shows that HAS-160 used as a block cipher can be differentiated from an ideal cipher faster than exhaustive search.

We provide a proof of security for a huge class of double block length hash function that we will call Cyclic-DM. Using this result, we are able to give a collision resistance bound for Abreast-DM, one of the oldest and most well-known constructions for turning a block cipher with n-bit block length and 2n-bit key length into a 2n-bit cryptographic hash function. In particular, we show that when Abreast-DM is instantiated using a block cipher with 128-bit block length and 256-bit key length, any adversary that asks less than 2124.42 queries cannot find a collision with success probability greater than 1/2. Surprisingly, this about 15 years old construction is one of the few constructions that have the desirable feature of a near-optimal collision resistance guarantee. We are also able to derive several DBL constructions that lead to compression functions offering an even higher security guarantee and more efficiency than Abreast-DM(e.g. share a common key). Furthermore we give a practical DBL construction that has the highest security guarantee of all DBL compression functions currently known in literature. We also provide a (relatively weak) analysis of preimage resistance for Cyclic-DM.

The AES-256 has received less attention in cryptanalysis than the 192 or 128-bit versions of the AES. In this paper we propose new attacks on 9 and 10-round AES-256. In particular we present a 9-round attack on AES-256 which has the lowest data complexity of all known 9-round attacks. Also, our 10-round attack has a lower data complexity than all known attacks on AES-256. Also, our attack is the first that uses a key differential with probability below one in combination with a related-key boomerang attack. This leads to better related-key differentials which contain less non-zero byte differences and rounds with zero byte differences in each byte of a subkey difference.

SHACAL-2 is a 64-round block cipher based on the compression function of the hash function standard SHA-256. It has a 256-bit block size and a variable length key of up to 512 bits. Up to now, all attacks on more than 37 rounds require at least 2235 bytes of memory. Obviously such attacks will never become of practical interest due to this high amount of space. In this paper we adopt the relate-key boomerang attack and present the first memoryless attack on 39-round SHACAL-2. Our attack only employs 28.5 bytes of memory and thus improves the data complexity of comparable attacks up to a factor of at least 2230, which is a substantial improvement. We do not need to store all the data which gives this low data complexity. The related-key boomerang attack presented in this paper can also be seen as a starting point for more advanced attacks on SHACAL-2. The main advantage of our new attack is that we can proceed the data sequentially instead of parallel as needed for other attacks, which reduces the memory requirements dramatically.