Jian Guo scite author profile

Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related-or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.

show abstract

The PHOTON Family of Lightweight Hash Functions

Guo

2011

View full text Add to dashboard Cite

Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an on-tag hash function is available. In this article we present the PHOTON lightweight hash-function family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64-bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AES-like bounds on the number of active Sboxes. This kind of AES-like primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting trade-offs between speed and preimage security for small messages, the classical use-case in hardware.

show abstract

Preimages for Step-Reduced SHA-2

et al. 2009

View full text Add to dashboard Cite

Abstract. In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2 251.9 , 2 509 for finding pseudo-preimages and 2 254.9 , 2 511.5 compression function operations for full preimages. The memory requirements are modest, around 2 6 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

show abstract

Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2

Guo

Ling

Rechberger

et al. 2010

View full text Add to dashboard Cite

We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2 188.8 for finding preimages, and 2 188.2 for second-preimages. Both have memory requirement of order 2 8 , which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 2 78.4 and 2 69.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meet-in-the-middle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithm-specific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multi-target scenarios into the MITM framework, leading to faster preimages from pseudo-preimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudo-preimage, and (3) probabilistic initial structures, to reduce the attack time complexity. All the techniques developed await application to other hash functions. To illustrate this, we give as another example improved preimage attacks on SHA-2 members.

show abstract

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions

Song

Guo

Shi

et al. 2018

View full text Add to dashboard Cite

(Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others

Feng

et al. 2012

View full text Add to dashboard Cite

The Grøstl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Grøstl hash function. We propose pseudo preimage attacks on Grøstl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10)-round Grøstl-256 has a complexity of (2 244.85 , 2 230.13 ) (in time and memory) and pseudo preimage attack on 8(out of 14)-round Grøstl-512 has a complexity of (2 507.32 , 2 507.00 ). To the best of our knowledge, our attacks are the first (pseudo) preimage attacks on round-reduced Grøstl hash function, including its compression function and output transformation. These results are obtained by a variant of meet-in-the-middle preimage attack framework by Aoki and Sasaki. We also improve the time complexities of the preimage attacks against 5-round Whirlpool and 7-round AES hashes by Sasaki in FSE 2011.Grøstl is a double-pipe design, i.e., the size of the chaining value (2n-bit) is twice as the hash size (n-bit). Message length should be less than 2 73 − 577 bits. The padding rule is not introduced here, since it's not important in our attack.The compression function of Grøstl is written as:Where H is the chaining value and M is the message block, both are of 2n bits. After all message blocks are processed, the last chaining value X is used as input of the output transformation, which is written as Ω(X) = T runc n (P (X) ⊕ X)The right half of P (X) ⊕ X is used as the hash value. The compression function and output transformation are illustrated in Fig. 2.

show abstract

Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis

Sun

Liu

Guo

et al. 2016

View full text Add to dashboard Cite

Automatic Search of Meet-in-the-Middle Preimage Attacks on AES-like Hashing

Bao

Dong

Guo

et al. 2021

View full text Add to dashboard Cite

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Jian Guo

The LED Block Cipher

The PHOTON Family of Lightweight Hash Functions

Preimages for Step-Reduced SHA-2

Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions

(Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others

Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis

Automatic Search of Meet-in-the-Middle Preimage Attacks on AES-like Hashing

Contact Info

Product

Resources

About