Paper 2016/244

Cryptanalysis of Simpira v1

Christoph Dobraunig
Maria Eichlseder
Florian Mendel
Abstract

Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers' security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity $2^{82.62}$ for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity $2^{110.16}$ for 16 rounds and the full 512-bit hash value. These attacks violate the designers' security claims that there are no structural distinguishers with complexity below $2^{128}$.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. SAC 2016
DOI
10.1007/978-3-319-69453-5_16
Keywords
Simpirapermutation-based cryptographycryptanalysishash functionscollisions
Contact author(s)
maria eichlseder @ iaik tugraz at
History
2024-06-07: last of 2 revisions
2016-03-05: received
See all versions
Short URL
https://ia.cr/2016/244
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/244,
      author = {Christoph Dobraunig and Maria Eichlseder and Florian Mendel},
      title = {Cryptanalysis of Simpira v1},
      howpublished = {Cryptology {ePrint} Archive, Paper 2016/244},
      year = {2016},
      doi = {10.1007/978-3-319-69453-5_16},
      url = {https://eprint.iacr.org/2016/244}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.