Finding Collisions for Round-Reduced Romulus-H

IF 1.7 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IACR Transactions on Symmetric Cryptology Pub Date : 2023-03-10 DOI:10.46586/tosc.v2023.i1.67-88

Marcel Nageler, Felix Pallua, Maria Eichlseder

{"title":"Finding Collisions for Round-Reduced Romulus-H","authors":"Marcel Nageler, Felix Pallua, Maria Eichlseder","doi":"10.46586/tosc.v2023.i1.67-88","DOIUrl":null,"url":null,"abstract":"The hash function Romulus-H is a finalist in the NIST Lightweight Cryptography competition. It is based on the Hirose double block-length (DBL) construction which is provably secure when used with an ideal block cipher. However, in practice, ideal block ciphers can only be approximated. Therefore, the security of concrete instantiations must be cryptanalyzed carefully; the security margin may be higher or lower than in the secret-key setting. So far, the Hirose DBL construction has been studied with only a few other block ciphers, like IDEA and AES. However, Romulus-H uses Hirose DBL with the SKINNY block cipher where only very little analysis has been published so far. In this work, we present the first practical analysis of Romulus-H. We propose a new framework for finding collisions in hash functions based on the Hirose DBL construction. This is in contrast to previous work that only focused on free-start collisions. Our framework is based on the idea of joint differential characteristics which capture the relationship between the two block cipher calls in the Hirose DBL construction. To identify good joint differential characteristics, we propose a combination of MILP and CP models. Then, we use these characteristics in another CP model to find collisions. Finally, we apply this framework to Romulus-H and find practical collisions of the hash function for 10 out of 40 rounds and practical semi-free-start collisions for up to 14 rounds.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"8 1","pages":"67-88"},"PeriodicalIF":1.7000,"publicationDate":"2023-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Symmetric Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2023.i1.67-88","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

The hash function Romulus-H is a finalist in the NIST Lightweight Cryptography competition. It is based on the Hirose double block-length (DBL) construction which is provably secure when used with an ideal block cipher. However, in practice, ideal block ciphers can only be approximated. Therefore, the security of concrete instantiations must be cryptanalyzed carefully; the security margin may be higher or lower than in the secret-key setting. So far, the Hirose DBL construction has been studied with only a few other block ciphers, like IDEA and AES. However, Romulus-H uses Hirose DBL with the SKINNY block cipher where only very little analysis has been published so far. In this work, we present the first practical analysis of Romulus-H. We propose a new framework for finding collisions in hash functions based on the Hirose DBL construction. This is in contrast to previous work that only focused on free-start collisions. Our framework is based on the idea of joint differential characteristics which capture the relationship between the two block cipher calls in the Hirose DBL construction. To identify good joint differential characteristics, we propose a combination of MILP and CP models. Then, we use these characteristics in another CP model to find collisions. Finally, we apply this framework to Romulus-H and find practical collisions of the hash function for 10 out of 40 rounds and practical semi-free-start collisions for up to 14 rounds.

查看原文本刊更多论文

寻找圆约简Romulus-H的碰撞

哈希函数Romulus-H是NIST轻量级密码学竞赛的决赛选手。它基于Hirose双块长度(DBL)结构，当与理想的块密码一起使用时，可以证明是安全的。然而，在实践中，理想的分组密码只能是近似的。因此，必须仔细分析具体实例的安全性;安全裕度可能高于或低于私钥设置。到目前为止，Hirose DBL结构只与其他几个分组密码(如IDEA和AES)一起研究过。然而，Romulus-H使用Hirose DBL和SKINNY分组密码，迄今为止只有很少的分析发表。在这项工作中，我们提出了Romulus-H的第一个实际分析。我们提出了一个基于Hirose DBL构造的寻找哈希函数冲突的新框架。这与之前只关注自由启动碰撞的研究形成了对比。我们的框架是基于联合差分特征的思想，它捕获了Hirose DBL结构中两个分组密码调用之间的关系。为了识别良好的关节差异特征，我们提出了MILP和CP模型的组合。然后，我们在另一个CP模型中使用这些特征来寻找碰撞。最后，我们将该框架应用于Romulus-H，并在40轮中找到了10轮哈希函数的实际碰撞，以及多达14轮的实际半自由启动碰撞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Transactions on Symmetric Cryptology Mathematics-Applied Mathematics

CiteScore

5.50

自引率

22.90%

发文量