Security Analysis of SIMD

This paper provides three important contributions to the security analysis of SIMD. First, we show a new free-start distinguisher based on symmetry relations. It allows to distinguish the compression function of SIMD from a random function with a single evaluation. Then, we show that a class of free-start distinguishers is not a threat to wide-pipe hash functions. In particular, this means that our distinguisher has a minimal impact on the security of the SIMD hash function. Intuitively, the reason why this distinguisher does not weaken the function is that getting into a symmetric state is about as hard as finding a preimage. Finally, we study differential path in SIMD, and give an upper bound on the probability of related key differential paths. Our bound is in the order of 2-n/2 using very weak assumptions.

[1]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[2]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[3]  Christophe Clavier,et al.  Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers , 2009, IACR Cryptol. ePrint Arch..

[4]  Orr Dunkelman,et al.  Another Look at Complementation Properties , 2010, FSE.

[5]  Niels Ferguson,et al.  Symmetric States and their Structure: Improved Analysis of CubeHash , 2010, IACR Cryptol. ePrint Arch..

[6]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[7]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[8]  Sangjin Lee,et al.  Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES , 2003, FSE.

[9]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[10]  Charanjit S. Jutla,et al.  Provably Good Codes for Hash Function Design , 2009, IEEE Transactions on Information Theory.

[11]  Willi Meier,et al.  More on Shabal ’ s permutation , 2009 .

[12]  Xiaoyun Wang,et al.  Cryptanalysis of the Compression Function of SIMD , 2011, ACISP.

[13]  Thomas Peyrin,et al.  Inside the Hypercube , 2009, ACISP.

[14]  Florian Mendel,et al.  A Distinguisher for the Compression Function of SIMD-512 , 2009, INDOCRYPT.

[15]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[16]  N. S. Barnett,et al.  Private communication , 1969 .