Cryptanalysis of Simpira

4 years 3 months ago
Cryptanalysis of Simpira
Simpira is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity 282.62 for the recommended full 15 rounds (truncated 256-bit hash value), and complexity 2110.16 for 16 rounds (full 512-bit hash value). These attacks violate the designers’ security claims that there are no structural distinguishers below 2128 .
Christoph Dobraunig, Maria Eichlseder, Florian Men
Added 03 Apr 2016
Updated 03 Apr 2016
Type Journal
Year 2016
Where IACR
Authors Christoph Dobraunig, Maria Eichlseder, Florian Mendel
Comments (0)