research-article

Crack me if you can: hardware acceleration bridging the gap between practical and theoretical cryptanalysis?: a Survey

Authors:
Mustafa Khairallah

NTU, Singapore

NTU, Singapore
View Profile

,
Zakaria Najm

NTU, Singapore

NTU, Singapore
View Profile

,
Anupam Chattopadhyay

NTU, Singapore

NTU, Singapore
View Profile

,
Thomas Peyrin

NTU, Singapore

NTU, Singapore
View Profile

SAMOS '18: Proceedings of the 18th International Conference on Embedded Computer Systems: Architectures, Modeling, and SimulationJuly 2018Pages 167–172https://doi.org/10.1145/3229631.3239366

Published:15 July 2018Publication History

SAMOS '18: Proceedings of the 18th International Conference on Embedded Computer Systems: Architectures, Modeling, and Simulation

Pages 167–172

ABSTRACT

Cryptanalysis is an essential part of cryptology. Not just is it useful to break ciphers for malicious applications, but it is also the basis for building secure ones. In fact almost all the ciphers still in use are trusted to be secure mainly due to the fact that many cryptanalysts are trying hard to break them publicly and failing. However, most of the time successful cryptanalytic results end up violating the cipher designers claims, but the attack itself remains theoretical due to the lack of enough resources/algorithms to efficiently implement it. For example, while the first practical SHA-1 collision was found in 2017, most of the ideas and vulnerabilities behind the attack had been discovered in 2005. The internet and IT industries didn't give much attention to the early theoretical results and it wasn't until 2016 that internet browsers starting getting rid of SHA-1. The leap from 2005 to 2017 was due to advancements in the attack algorithms, implementation techniques and hardware fabrication technologies. While hardware fabrication so far keeps on improving according to Moore's law, the other two aspects require a lot of research effort. In this survey, we touch on several examples of these efforts over the years. The survey is divided into three parts, cryptanalytic attacks designed with specific implementation requirements, previous cryptanalytic machines and quantum computers, the technology that promises to change how we think about cryptography and cryptanalysis.

References

Elaine Barker. 2016. Recommendation for key management part 1: General. NIST special publication (2016).Google Scholar
Sam Biddle. 2017. NYU ACCIDENTALLY EXPOSED MILITARY CODE-BREAKING COMPUTER PROJECT TO ENTIRE INTERNET. URL https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-braking-computer-project-to-entire-internet/ (2017).Google Scholar
Eli Biham and Rafi Chen. 2004. Near-collisions of SHA-0. In Annual International Cryptology Conference. Springer, 290--305.Google ScholarCross Ref
Eli Biham, Rafi Chen, and Antoine Joux. 2015. Cryptanalysis of SHA-0 and Reduced SHA-1. Journal of Cryptology 28, 1 (2015), 110--160. Google ScholarDigital Library
Eli Biham, Rafi Chen, Antoine Joux, Patrick Carribault, Christophe Lemuet, and William Jalby. 2005. Collisions of SHA-0 and Reduced SHA-1. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 36--57. Google ScholarDigital Library
Dan Boneh, Christopher Dunworth, and Richard J Lipton. 1995. Breaking DES Using a Molecular Computer. Proceedings of DIMACS workshop on DNA computing (1995).Google Scholar
Frank Carter. 2008. The Turing Bombe. Bletchley Park Trust.Google Scholar
Florent Chabaud and Antoine Joux. 1998. Differential collisions in SHA-0. In Annual International Cryptology Conference. Springer, 56--71. Google ScholarDigital Library
Rafael Chen and Eli Biham. 2011. New Techniques for Cryptanalysis of Cryptographic Hash Functions. Ph.D. Dissertation. Computer Science Department, Technion.Google Scholar
Martin Cochran et al. 2007. Notes on the Wang et al. 263 SHA-1 Differential Path. IACR Cryptology ePrint Archive 2007 (2007), 474.Google Scholar
Christophe De Canniere, Florian Mendel, and Christian Rechberger. 2007. Collisions for 70-Step SHA-1: on the full cost of collision search. In International Workshop on Selected Areas in Cryptography. Springer, 56--73. Google ScholarDigital Library
Christophe De Canniere and Christian Rechberger. 2006. Finding SHA-1 characteristics: General results and applications. In International Conference on the Theory and Application ofCryptology and Information Security. Springer, 1--20. Google ScholarDigital Library
Whitfield Diffie and Martin E Hellman. 1977. Special feature exhaustive cryptanalysis of the NBS data encryption standard. Computer 10, 6 (1977), 74--84. Google ScholarDigital Library
John Gilmore. 1998. Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design. Google ScholarDigital Library
Evgeny A Grechnikov. 2010. Collisions for 72-step and 73-step SHA-1: Improvements in the Method of Characteristics. IACR Cryptology ePrint Archive 2010 (2010), 413.Google Scholar
Tim Güneysu, Timo Kasper, Martin Novotnỳ, Christof Paar, and Andy Rupp. 2008. Cryptanalysis with COPACOBANA. IEEE Trans. Comput. 57, 11 (2008), 1498--1513. Google ScholarDigital Library
Muhammad Hassan, Ayesha Khalid, Anupam Chattopadhyay, Christian Rechberger, Tim Güneysu, and Christof Paar. 2015. New asic/fpga cost estimates for sha-1 collisions. In Digital System Design (DSD), 2015 Euromicro Conference on. IEEE, 669--676. Google ScholarDigital Library
Martin Hellman. 1980. A cryptanalytic time-memory trade-off. IEEE transactions on Information Theory 26, 4 (1980), 401--406. Google ScholarDigital Library
Antoine Joux. 2009. Algorithmic cryptanalysis. CRC Press. Google ScholarDigital Library
Antoine Joux and Thomas Peyrin. 2007. Hash functions and the (amplified) boomerang attack. In Annual International Cryptology Conference. Springer, 244--263. Google ScholarDigital Library
Charanjit S Jutla and Anindya C Patthak. 2005. A Matching Lower Bound on the Minimum Weight of SHA-1 Expansion Code. IACR Cryptology ePrint Archive 2005 (2005), 266.Google Scholar
Pierre Karpman. 2016. Analyse de primitives symétriques. Ph.D. Dissertation. Université Paris-Saclay.Google Scholar
Pierre Karpman, Thomas Peyrin, and Marc Stevens. 2015. Practical free-start collision attacks on 76-step SHA-1. In Annual Cryptology Conference. Springer, 623--642.Google ScholarCross Ref
J Keller and B Seitz. 2012. A Hardware-Based Attack on the A5/1 Stream Cipher (2001). URL http://pv.fernuni-hagen.de/docs/apc2001-final.pdf. Accessed April (2012).Google Scholar
Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, and Manfred Schimmler. 2006. Breaking ciphers with COPACOBANA-a cost-optimized parallel code breaker. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 101--118. Google ScholarDigital Library
Bjoern Lekitsch, Sebastian Weidt, Austin G Fowler, Klaus Mølmer, Simon J Devitt, Christof Wunderlich, and Winfried K Hensinger. 2017. Blueprint for a microwave trapped ion quantum computer. In Science Advances, Vol. 3. American Association for the Advancement of Science, e1601540.Google Scholar
Stéphane Manuel. 2008. Classification and generation of disturbance vectors for collision attacks against SHA-1. (2008).Google Scholar
Stéphane Manuel. 2011. Classification and generation of disturbance vectors for collision attacks against SHA-1. Designs, Codes and Cryptography 59, 1--3 (2011), 247--263. Google ScholarDigital Library
Stéphane Manuel and Thomas Peyrin. 2008. Collisions on SHA-0 in one hour. In International Workshop on Fast Software Encryption. Springer, 16--35.Google ScholarDigital Library
Nick Marinoff. 2018. Samsung Is Building ASIC Chips for Halong Mining. URL https://bitcoinmagazine.com/articles/samsung-building-asic-chips-halong-mining/ (2018).Google Scholar
Krystian Matusiewicz and Josef Pieprzyk. 2006. Finding good differential patterns for attacks on SHA-1. In Coding and Cryptography. Springer, 164--177. Google ScholarDigital Library
Cameron McDonald, Philip Hawkes, and Josef Pieprzyk. 2009. Differential Path for SHA-1 with complexity O (252). IACR Cryptology ePrint Archive 2009 (2009), 259.Google Scholar
Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen. 2006. The impact of carries on the complexity of collision attacks on SHA-1. In International Workshop on Fast Software Encryption. Springer, 278--292. Google ScholarDigital Library
Florian Mendel, Christian Rechberger, and Vincent Rijmen. 2007. Update on SHA-1. rump session of CRYPTO 2007 (2007).Google Scholar
Yusuke Naito, Yu Sasaki, Takeshi Shimoyama, Jun Yajima, Noboru Kunihiro, and Kazuo Ohta. 2006. Improved collision search for SHA-0. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 21--36. Google ScholarDigital Library
Thomas Peyrin. 2008. Analyse de fonctions de hachage cryptographiques. Ph.D. Dissertation. PhD thesis, University of Versailles.Google Scholar
John M Pollard. 1978. Monte Carlo methods for index computation (ðİðžðİŚİJðİŚŚðİŚİ). Mathematics of computation 32, 143 (1978), 918--924.Google Scholar
Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen. 2005. Exploiting coding theory for collision attacks on SHA-1. In IMA International Conference on Cryptography and Coding. Springer, 78--95. Google ScholarDigital Library
Brian Randell. 1982. Colossus: Godfather of the computer. In The Origins of Digital Computers. Springer, 349--354.Google ScholarCross Ref
Vincent Rijmen and Elisabeth Oswald. 2005. Update on SHA-1. In CryptographersâĂŽ Track at the RSA Conference. Springer, 58--71. Google ScholarDigital Library
Mikolos Santha. 2018. Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers?. In FWS01 Quantum Cryptography. Centre for Quantum Technologies, NUS Singapore and CNRS IRIF, Universite Paris Diderot France.Google Scholar
Mark Stamp and Richard M Low. 2007. Applied cryptanalysis: breaking ciphers in the real world. John Wiley & Sons. Google ScholarDigital Library
Marc Stevens. 2013. New collision attacks on SHA-1 based on optimal joint local-collision analysis. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 245--261.Google ScholarCross Ref
Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov. 2017. The first collision for full SHA-1. In Annual International Cryptology Conference. Springer, 570--596.Google ScholarCross Ref
Marc Stevens, Pierre Karpman, and Thomas Peyrin. 2016. Freestart collision for full SHA-1. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 459--483.Google ScholarCross Ref
Marc Martinus Jacobus Stevens et al. 2012. Attacks on hash functions and applications. Mathematical Institute, Faculty of Science, Leiden University.Google Scholar
Vikram Suresh, Sudhir Satpathy, and Sanu Mathew. 2018. Bitcoin mining hardware accelerator with optimized message digest and message scheduler datapath. US Patent App. 15/274,200.Google Scholar
Christopher Swenson. 2008. Modern cryptanalysis: techniques for advanced code breaking. John Wiley & Sons. Google ScholarDigital Library
Eran Tromer. 2007. Hardware-based cryptanalysis.Google Scholar
Paul C Van Oorschot and Michael J Wiener. 1999. Parallel collision search with cryptanalytic applications. Journal of cryptology 12, 1 (1999), 1--28. Google ScholarDigital Library
Xiaoyun Wang. 2006. Cryptanalysis of hash functions and potential dangers. In Invited Talk at the Cryptographer's Track at RSA Conference 2006.Google Scholar
Xiaoyun Wang, Andrew C Yao, and Frances Yao. 2005. Cryptanalysis on SHA-1. In Cryptographic Hash Workshop hosted by NIST.Google Scholar
Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. 2005. Finding collisions in the full SHA-1. In Annual international cryptology conference. Springer, 17--36. Google ScholarDigital Library
Xiaoyun Wang, Hongbo Yu, and Yiqun Lisa Yin. 2005. Efficient collision search attacks on SHA-0. In Annual International Cryptology Conference. Springer, 1--16. Google ScholarDigital Library
Jun Yajima, Terutoshi Iwasaki, Yusuke Naito, Yu Sasaki, Takeshi Shimoyama, Noboru Kunihiro, and Kazuo Ohta. 2008. A strict evaluation method on the number of conditions for the SHA-1 collision search. In Proceedings of the 2008 ACM symposium on Information, computer and communications security. ACM, 10--20. Google ScholarDigital Library
Jun Yajima, Yu Sasaki, Yusuke Naito, Terutoshi Iwasaki, Takeshi Shimoyama, Noboru Kunihiro, and Kazuo Ohta. 2007. A new strategy for finding a differential path of SHA-1. In Australasian Conference on Information Security and Privacy. Springer, 45--58. Google ScholarDigital Library

Crack me if you can: hardware acceleration bridging the gap between practical and theoretical cryptanalysis?: a Survey

Recommendations

Practical cryptanalysis of ARMADILL02
FSE'12: Proceedings of the 19th international conference on Fast Software Encryption

The ARMADILLO2 primitive is a very innovative hardware-oriented multi-purpose design published at CHES 2010 and based on data-dependent bit transpositions. In this paper, we first show a very unpleasant property of the internal permutation that allows ...
Read More
Can GOST Be Made Secure Against Differential Cryptanalysis?

Nothing can be more mistaken. In this article, the authors review 40 years of development of block ciphers in order to resist differential attacks. They study all ten known sets of GOST S-boxes. It appears that the choice of S-boxes has a limited effect ...
Read More
Impossible differential cryptanalysis of reduced-round ARIA and Camellia

This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAMOS '18: Proceedings of the 18th International Conference on Embedded Computer Systems: Architectures, Modeling, and Simulation
July 2018
263 pages
ISBN:9781450364942
DOI:10.1145/3229631
General Chair:
Trevor Mudge
University of Michigan - Ann Arbor
,
Program Chair:
Dionisios N. Pnevmatikatos
Technical University of Crete and ICS - FORTH, Greece
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 July 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 83
  Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Crack me if you can: hardware acceleration bridging the gap between practical and theoretical cryptanalysis?: a Survey

SAMOS '18: Proceedings of the 18th International Conference on Embedded Computer Systems: Architectures, Modeling, and Simulation

ABSTRACT

References

Cited By

Recommendations

Practical cryptanalysis of ARMADILL02

Can GOST Be Made Secure Against Differential Cryptanalysis?

Impossible differential cryptanalysis of reduced-round ARIA and Camellia