We present improved algorithms for gaussian preimage sampling using the lattice trapdoors of (Micciancio and Peikert, CRYPTO 2012). The MP12 work only offered a highly optimized algorithm for the on-line stage of the computation in the special case when the lattice modulus q is a power of two. For arbitrary modulus q, the MP12 preimage sampling procedure resorted to general lattice algorithms w...

Neven, Smart and Warinschi (NSW) proved, in the generic group model, that full-length Schnorr signatures require only random-prefix resistant hash functions to resist passive existential forgery. Short Schnorr signatures halve the length of the hash function, and have been conjectured to provide a similar level of security. The NSW result is too loose to provide a meaningful security for short ...

We propose a new approach to code-based signatures that makes use in particular of rank metric codes. When the classical approach consists in finding the unique preimage of a syndrome through a decoding algorithm, we propose to introduce the notion of mixed decoding of erasures and errors for building signature schemes. In that case the difficult problem becomes, as is the case in lattice-based...

The recently started SHA-3 competition in order to find a new secure hash standard and thus a replacement for SHA-1/SHA-2 has attracted a lot of interest in the academic world as well as in industry. There are 51 round one candidates building on sometimes very different principles. In this paper, we show how to attack two of the 51 round one hash functions. The attacks have in common that they ...

If the preimage of a four-point set under a meromorphic function belongs to the real line then the image of the real line is contained in a circle in the Riemann sphere. We include an application of this result to holomorphic dynamics: if the Julia set of a rational function is contained in a smooth curve then it is contained in a circle. If the full preimage of a two-point set under a rational...

This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function. The attack finds a second preimage in less time than brute force search for these CubeHash variants: CubeHash r/b-224 for b > 100; CubeHashr/b-256 for b > 96; CubeHashr/b-384 for b > 80; and CubeHashr/b-512 for b > 64. However, the attack does not break the CubeHash variants recommended for SHA-3....

The Kupyna hash function was selected as the new Ukrainian standard DSTU 7564:2014 in 2015. It is designed to replace the old Independent States (CIS) standard GOST 34.311-95. The Kupyna hash function is an AES-based primitive, which uses Merkle-Damg̊ard compression function based on Even-Mansour design. In this paper, we show the first cryptanalytic attacks on the round-reduced Kupyna hash func...

We extend and improve biclique attacks, which were recently introduced for the cryptanalysis of block ciphers and hash functions. While previous attacks required a primitive to have a key or a message schedule, we show how to mount attacks on the primitives with these parameters fixed, i.e. on permutations. We introduce the concept of sliced bicliques, which is a translation of regular biclique...

Based on a classical convex hull algorithm called Gift-Wrapping, the purpose of the paper is to provide a new algorithm for computing the vertices of a polytope called preimage roughly the set of naive digital planes containing a finite subset S of Z3. The vertices of the upper hemisphere, the ones of the lower hemisphere and at last the equatorial vertices are computed independently. The princ...

The authors propose a new type of hash iterative structure ─ the ring-iterative structure with feedback which is subdivided into the single feedback ring iteration and the multiple feedback ring iteration, namely SFRI and MFRI. Prove that SFRI is at least equivalent to the MD structure in security, and MFRI is at least equivalent to SFRI in security (property 1 makes people incline to believe M...