Reference : Collision Spectrum, Entropy Loss, T-Sponges, and Cryptanalysis of GLUON-64 |

Scientific congresses, symposiums and conference proceedings : Paper published in a book | |||

Engineering, computing & technology : Computer science | |||

http://hdl.handle.net/10993/17938 | |||

Collision Spectrum, Entropy Loss, T-Sponges, and Cryptanalysis of GLUON-64 | |

English | |

Perrin, Léo Paul [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >] | |

Khovratovich, Dmitry [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >] | |

Mar-2014 | |

Fast Software Encryption - 21th International Workshop, FSE 2014, London, March 3-5, 2014 | |

Springer | |

Lecture Notes in Computer Science; 8540 | |

82-103 | |

Yes | |

No | |

International | |

21st International Workshop on Fast Software Encryption | |

from 03-03-2014 to 05-03-2014. | |

London | |

United Kingdom | |

[en] Random function ; Collision Probability Spectrum ; GLUON | |

[en] In this paper, we investigate the security provided by iterative non-injective functions. We introduce the Collision Probabilities Spectrum (CPS) to quantify how far from a permutation a function is. In particular, we show that the size of the iterated image of such a function decreases linearly with the number of iterations and that collision trees of quadratic size appear.
We discuss the influence of the CPS over collision search efficiency by connecting it with the function's balance. We then show that the security of a so-called T-Sponge is only marginally impacted by the number of collisions occurring because of the update function. However, the loss of entropy in the update function can lead to a greatly simplified preimage search for a particular family of messages if the rate is small. Consequences of the entropy loss when duplexing the sponge to provide one-pass authenticated encryption and for Davies-Meyer construction are also studied. Finally, we use a heuristic method to estimate the CPS of the update function of GLUON-64. Applying our results, we prove for instance that if a message is only known to end with a sequence of 1 Mb (respectively 1 Gb) of zero bytes, then it is possible to find a preimage for its digest in time $2^{115.3}$ (respectively $2^{105.3}$) instead of $2^{128}$. | |

Fonds National de la Recherche - FnR | |

Researchers | |

http://hdl.handle.net/10993/17938 | |

10.1007/978-3-662-46706-0_5 |

File(s) associated to this reference | ||||||||||||||

| ||||||||||||||

All documents in ORBi^{lu} are protected by a user license.