EnRUPT – The Simpler The Better

« India 15 years behind the USFull Hard Disk Encryption At Last! »

EnRUPT SHA-3 Update

05/03/09 | by Sean O’Neil | Categories: News

EnRUPT has been presented at the First SHA-3 Candidate Conference. The good news for EnRUPT is that NIST has allowed tuning the tunable parameters in the first round. The recent collision attack against ïrRUPTx2 is only effective for s = 1 to 4. EnRUPTx2/5 and higher are not affected by this attack. Although differential trails such as:

0000009000000000 - 2102
00000090000BFF40 - 2110
00000BD0000BDBD0 - 2109
0000090000026D90 - 262
0000000000000000 - 20

or

4924924920822492 - 278
A0A8000000000000 - 2110
000200000AAA0000 - 262
A0200000028A0000 - 259
0020000002080000 - 277
80880000028A0000 - 295
2022000008200000 - 257
8000000000000000 - 225
6924924920002492 - 20

do exist for the linearized ïrRUPT64x2-256/6, it is not clear if they can be exploited at all with only 64 bits of freedom the attacker has in every input. The probability of an ADD=XOR approximation existing for the first two rounds is much lower than what the 264 possible pairs of inputs can satisfy on each step. Unfortunately, our computational resources are insufficient to prove either way. As it stands, ïrRUPTx2/5 is currently the fastest unbroken variant for any security level.

As we have also mentioned at the conference, the discovered colliding pairs for ïrRUPTx2/4 have little to no effect on the real life data. Any difference more than one word away from the collision generating input set would spread to a half of the state bits after one more input word pushing complexity of this attack well beyond the brute-force (2h/2) as almost every bit of the state difference adds one bit to the complexity of this attack. Thus it does not allow generation of colliding messages at the same low cost unlike the Merkle-Damgård collisions.

We believe that EnRUPT/8 provides a sufficient security margin away from the best attacks, while EnRUPT/H is the simplest although the slowest choice and EnRUPT-256/8,-384/10,-512/12 offers provable security against linearized collisions. Please vote for your preference. We have until June to make a decision and choose the best security/performance trade-off. Currently, the vote is leaning towards EnRUPT/8 as the best choice… Please write to us. We appreciate your input.

The slightly corrected slides (including memory requirements) are available at www.enrupt.com/EnRUPT_2009.pdf and their b/w printable copy at www.enrupt.com/EnRUPT_2009_bw.pdf.

1 feedback »Permalink

1 comment

Comment from: Jai [Visitor]
*****
Hi Sean,

One of your friends from OZ here, just saw your site and was impressed, keep up the good work mate and let the blue boys force be with you.... :o)

Jai
10/04/09 @ 07:47

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
PoorExcellent
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)

Poll

How much would you donate to develop a decent secure open-source Skype-compatible P2P IM+VoIP+video phone?

View Results

Q: What is EnRUPT?

A: EnRUPT is a simple scalable all-in-one block/stream cipher/hash.

Subscribe

Add to Google Reader or Homepage

Subscribe in NewsGator Online

Add to My AOL

Add to netvibes

Subscribe in Bloglines

Add to The Free Dictionary

Add to Plusmo

Subscribe in NewsAlloy

Add to Excite MIX

Add to netomat Hub

Add to fwicki

Add to flurry

Add to Webwag

Add to Attensa

Receive IM, Email or Mobile alerts when new content is published on this site.

Search




September 2010
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      

Categories

XML Feeds

What is RSS?

powered by b2evolution free blog software