Time-memory Trade-offs for Near-collisions
|
|
- Amice Smith
- 5 years ago
- Views:
Transcription
1 Time-memory Trade-offs for Near-collisions Gaëtan Leurent UCL Crypto Group FSE 2013 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
2 An Ideal Hash Function: the Random Oracle Public Random Oracle The output can be used as a fingerprint of the document UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
3 An Ideal Hash Function: the Random Oracle 0x1d66ca77ab361c6f Public Random Oracle The output can be used as a fingerprint of the document UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
4 Concrete security goals Preimage attack Given F and H, find M st F(M) = H Ideal security: 2 n Second-preimage attack Given F and M 1, find M 2 M 1 st F(M 1 ) = F(M 2 ) Ideal security: 2 n Collision attack Given F, find M 1 M 2 st F(M 1 ) = F(M 2 ) Ideal security: 2 n/2 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
5 Extra goals Hash functions are used in many different contexts, with various assumptions: MAC security Multi collision resistance Herding resistance Partial collisions Random looking output Near collisions UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
6 Near-collisions Near-collision attack Given F, w, find M 1 M 2 st F(M 1 ) F(M 2 ) w Relaxation of a collision attack Similar techniques than collision Security margin Turning near collisions into collisions Many attack papers Topic of this talk What is the complexity of generic near collision attacks? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
7 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) State of the art Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
8 Lower bound After i hash evaluations, about i 2 pairs Each pair is a w near collision with probability Bw (n)/2 n Lower bound: i 2 2 n /B w (n), ie i 2 n/2 / B w (n) Easier than collisions by a factor B w (n) Definition (size of a Hamming ball) B w (n) = # {x {0, 1} n x w} UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
9 Naive algorithm Near-collision algorithm for 0 a < i do L[a] h(a) end for for 0 a < b < i do if L[a] L[b] w then return (a, b) end if end for i computations i 2 comparisons i hash computations i 2 comparisons, memory accesses i memory Can we avoid this? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
10 Naive algorithm Near-collision algorithm for 0 a < i do L[a] h(a) end for for 0 a < b < i do if L[a] L[b] w then return (a, b) end if end for i computations i 2 comparisons i hash computations i 2 comparisons, memory accesses i memory Can we avoid this? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
11 Naive algorithm Near-collision algorithm for 0 a < i do L[a] h(a) end for for 0 a < b < i do if L[a] L[b] w then return (a, b) end if end for i computations i 2 comparisons i hash computations i 2 comparisons, memory accesses i memory Can we avoid this? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
12 collision finding algorithms are known for full collisions: Pollard s rho x 3 x 4 Iterate h: xi = f(x i 1 ) x 2 x 7 x 5 Collision after 2 n/2 iterations Iteration cycles ẋ 0 x 1 x 6 cycle detection Floyd (tortoise and hare) Brent Nivasch Distinguished points UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
13 near-collisions algorithms collision algorithms based on iterating chains Collisions can be detected later in the chain x 1 x 1 x 0 Start Collision Detection x 0 Start Near-collision This doesn t work for near collision New approaches needed UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
14 Using truncation 1 Truncate w bits 2 Find n w bit collision (memoryless) 3 Gives w near collision for the full output 0 n w n no difference w diff Complexity: 2 (n w)/2 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
15 Using truncation 1 Truncate 2w + 1 bits 2 Find n 2w 1 bit collisions (memoryless) 3 Gives w near collision with probability ½ 0 n 2w 1 n no difference 2w + 1 diff Complexity: 2 (n 2w 1)/2 2 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
16 Using truncation 1 Truncate τ bits 2 Find n τ bit collisions (memoryless) 3 Gives w near collision with probability B w (τ)/2 τ 0 n τ n no difference τ diff Complexity: 2 (n+τ)/2 /B w (τ) Optimal τ (2 + 2)(w 1) [Lamberger Teufl, IPL 2013] UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
17 Generalization 1 Build a function f so that f(x) = f(y) x y w 2 Find collisions in f h (memoryless) 3 Gives a w near collision f(h(x)) = f(h(y)) h(x) h(y) w Use a covering code [Lamberger Rijmen] Covering radius R, decoding function f: x f(x) R f(x) = f(y) x y x f(x) + y f(y) 2R UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
18 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) Outline Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
19 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) Outline Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
20 Another look at truncation Near collision using truncation by τ bits i(τ) = 2 τ /B w (τ) collisions needed Increase with τ One truncated collision costs 2 n τ Decrease with τ Can we do better than i 2 (n τ)/2 to find i collisions? : no With memory: yes, keep state after first collision Improved near collision algorithms UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
21 Another look at truncation Near collision using truncation by τ bits i(τ) = 2 τ /B w (τ) collisions needed Increase with τ One truncated collision costs 2 n τ Decrease with τ Can we do better than i 2 (n τ)/2 to find i collisions? : no With memory: yes, keep state after first collision Improved near collision algorithms UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
22 Finding several collisions Parallel collision search [van Oorschot Wiener, JoC 1999] Definition (distinguished point) y distinguished iff y mod θ 1 = 0 x 0 y 0 x 1 x 2 x 3 x 4 y 1 y 2 y 3 1 Compute chains x y Stop when y distinguished 2 If y {y i }, new collision found 3 Store (x, y) M chains cover M/θ points UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
23 Finding several collisions Complexity: [van Oorschot Wiener, JoC 1999] Small number of collisions ie i M C small = π/2 2 n i Speedup: i (optimal) Large number of collisions ie i M C large = 5 2 n /M i Speedup: M/4 Combining: C C small + C large = π i M 2 n i UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
24 TM Trade-off for Near-collisions using Truncation Truncate τ bits i(τ) = 2 τ /B w (τ) collisions needed Small τ, i(τ) M C small = π/2 2 n/2 / B w (τ) Decreasing C Large τ, i(τ) M C large = 5 2 n/2+τ/2 /B w (τ) M Increasing i(τ) = M τ Optimum for i(τ) M C 2 n/2 / B w (τ) UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
25 Comparison: n = 128, w = 10 Lower bounds C 2 n/2 / B w (n) (memory full) C Covering codes C 2 n/2 / B w/2 (n) for code based C 2 50 Best code known C = Truncation, memoryless, τ = 2w + 1 τ = 21 C 2 (n τ)/2 2 C = Truncation, memoryless, optimal τ (2 + 2)(w 1) τ = 32 C 2 (n+τ)/2 /B w (τ) C = Truncation, with 1GB memory 2 τ /B w (τ) M τ = 56 C 2 n/2 / B w (τ) C = 2 47 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
26 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) Outline Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
27 New approach 0 1 Truncate τ bits 2 Find n τ bit w near collisions 3 Gives w near collision with some probability n τ n w differences w w differences Large parameter space w, τ Special cases: τ = 0: coding based algorithm w = 0: truncation based algorithm Use a covering code to find near collisions in the truncation UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
28 New approach 0 1 Truncate τ bits 2 Find n τ bit w near collisions 3 Gives w near collision with some probability n τ n 2R differences w 2R differences Large parameter space (R, τ) Special cases: τ = 0: coding based algorithm R = 0: truncation based algorithm Use a covering code to find near collisions in the truncation UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
29 Complexity Analysis: No closed formula for parameter choice Exhaustive search over τ and R, compute complexity M Full Time memory trade off (τ, R) Covr codes Trunc 128 bits 2 16 (1MB) 2 26 (1GB) 2 36 (1TB) bnd best τ=2w 1 w = ( 1,1) 600 (25,0) 595 (35,0) w = (17,1) 565 (27,1) 556 (44,0) w = (19,2) 531 (35,1) 520 (46,1) w = (26,2) 498 (43,1) 485 (54,1) w = (33,2) 467 (50,1) 452 (62,1) Number of hash function evaluation More than 2 n/2 memory accesses UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
30 Summary 1 Time memory trade off Finding i collisions costs less than i 2 n/2 Use larger τ 2 Combine truncation and covering codes Find near collisions in truncated function Significant improvement for practical parameters 10-near-collision for a 128-bit hash Complexity in using 1TB, versus memoryless Lower bound: ; reduce the gap for practical attacks UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
31 Thanks Q uestions? With the support of ERC project CRASH UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent
Time-memory Trade-offs for Near-collisions
Time-memory Trade-offs for Near-collisions Gaëtan Leurent UCL Crypto Group Gaetan.Leurent@uclouvain.be Abstract. In this work we consider generic algorithms to find nearcollisions for a hash function.
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationOptimal Covering Codes for Finding Near-Collisions
Optimal Covering Codes for Finding Near-Collisions Mario Lamberger 1 and Vincent Rijmen 1,2 1 Institute for Applied Information Processing and Communications Graz University of Technology, Inffeldgasse
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationAnalysis of Differential Attacks in ARX Constructions
.. Analysis of Differential Attacks in ARX Constructions Gaëtan Leurent UCL Crypto Group University of Luxembourg Asiacrypt 2012 G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationUsing Random Error Correcting Codes in Near-Collision Attacks on Generic Hash-Functions
Using Random Error Correcting Codes in Near-Collision Attacks on Generic Hash-Functions Inna Polak, Adi Shamir Department of Computer Science and Applied Mathematics, Weizmann Institute of Science Rehovot
More informationRainbow Tables ENEE 457/CMSC 498E
Rainbow Tables ENEE 457/CMSC 498E How are Passwords Stored? Option 1: Store all passwords in a table in the clear. Problem: If Server is compromised then all passwords are leaked. Option 2: Store only
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationQuantum Preimage and Collision Attacks on CubeHash
Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, Gaetan.Leurent@uni.lu Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationA Scalable and Provably Secure Hash-Based RFID Protocol
PerSec 05 A Scalable and Provably Secure Hash-Based RFID Protocol EPFL, Lausanne, Switzerland ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Outline A Brief Introduction to the RFID Technology A Brief Introduction
More informationRelaxed Locally Correctable Codes in Computationally Bounded Channels
Relaxed Locally Correctable Codes in Computationally Bounded Channels Elena Grigorescu (Purdue) Joint with Jeremiah Blocki (Purdue), Venkata Gandikota (JHU), Samson Zhou (Purdue) Classical Locally Decodable/Correctable
More informationImproved Generic Attacks Against Hash-based MACs and HAIFA
Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur 1 and Gaëtan Leurent 2 1 Département d Informatique, École Normale Supérieure, Paris, France Itai.Dinur@ens.fr 2 Inria, EPI SECRET,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationImproved Generalized Birthday Attack
Improved Generalized Birthday Attack Paul Kirchner July 11, 2011 Abstract Let r, B and w be positive integers. Let C be a linear code of length Bw and subspace of F r 2. The k-regular-decoding problem
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationCryptanalysis of MDC-2
Cryptanalysis of MDC-2 Lars R. Knudsen 1, Florian Mendel 2, Christian Rechberger 2, and Søren S. Thomsen 1 1 Department of Mathematics, Technical University of Denmark Matematiktorvet 303S, DK-2800 Kgs.
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationImproved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl
Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Jian Zou, Wenling Wu, Shuang Wu, and Le Dong Institute of Software Chinese Academy of Sciences Beijing 100190, China
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationMartin Cochran. August 24, 2008
Notes on the Wang et al. 2 63 SHA-1 Differential Path Martin Cochran August 24, 2008 Abstract Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a2 63 attack by Wang
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationImproved Collision Attacks on the Reduced-Round Grøstl Hash Function
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationNew Preimage Attacks Against Reduced SHA-1
New Preimage Attacks Against Reduced SHA-1 Simon Knellwolf 1 and Dmitry Khovratovich 2 1 ETH Zurich and FHNW, Switzerland 2 Microsoft Research Redmond, USA Abstract. This paper shows preimage attacks against
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationDeterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family
Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family Somitra Kr. Sanadhya and Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute, Kolkata
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationCryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512
Downloaded from orbit.dtu.dk on: Jan 8, 219 Cryptanalysis of the 1-Round Hash and Full Compression Function of SHAvite-3-512 Gauravaram, Praveen; Leurent, Gaëtan; Mendel, Florian; Plasencia, Maria Naya;
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationOn the strength comparison of ECC and RSA
SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) Date: 17-18 March 2012 Place: Washington, DC, USA On the strength comparison of ECC and RSA Masaya Yasuda, Takeshi Shimoyama,
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationCost analysis of hash collisions: Will quantum computers make SHARCS obsolete?
Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? Daniel J. Bernstein Department of Computer Science (MC 152) The University of Illinois at Chicago Chicago, IL 60607 7053 djb@cr.yp.to
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1, Jérémy Jean 1, Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationLecture 12: Lower Bounds for Element-Distinctness and Collision
Quantum Computation (CMU 18-859BB, Fall 015) Lecture 1: Lower Bounds for Element-Distinctness and Collision October 19, 015 Lecturer: John Wright Scribe: Titouan Rigoudy 1 Outline In this lecture, we will:
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationAlgorithms for Data Science
Algorithms for Data Science CSOR W4246 Eleni Drinea Computer Science Department Columbia University Tuesday, December 1, 2015 Outline 1 Recap Balls and bins 2 On randomized algorithms 3 Saving space: hashing-based
More informationarxiv: v1 [cs.cc] 14 Sep 2013
arxiv:1309.3690v1 [cs.cc] 14 Sep 2013 Element Distinctness, Frequency Moments, and Sliding Windows Paul Beame Computer Science and Engineering University of Washington Seattle, WA 98195-2350 beame@cs.washington.edu
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationCracking Passwords with Time-memory Trade-offs. Gildas Avoine INSA Rennes (France), UCL (Belgium)
Cracking Passwords with Time-memory Trade-offs Gildas Avoine INSA Rennes (France), UCL (Belgium) SUMMARY Motivations Hellman Tables Oechslin Tables Real Life Examples Rainbow Tables with Fingerprints Conclusion
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationCryptanalysis of Edon-R
Cryptanalysis of Edon-R Dmitry Khovratovich, Ivica Nikolić, and Ralf-Philipp Weinmann University of Luxembourg Abstract. We present various types of attacks on the hash family Edon- R. In a free start
More informationCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,
More informationBounds on Birthday Attack Times
Bounds on Birthday Attack Times Michael J Wiener 20 Hennepin St, Nepean, Ontario, Canada K2J 3Z4 michaelwiener at sympaticoca 2005 September 8 Abstract We analyze a generic birthday attack where distinct
More informationSuccess Probability of the Hellman Trade-off
This is the accepted version of Information Processing Letters 109(7 pp.347-351 (2009. https://doi.org/10.1016/j.ipl.2008.12.002 Abstract Success Probability of the Hellman Trade-off Daegun Ma 1 and Jin
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationMD5 is Weaker than Weak: Attacks on Concatenated Combiners
MD5 is Weaker than Weak: Attacks on Concatenated Combiners Florian Mendel, Christian Rechberger, and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University
More informationBlock Ciphers and Side Channel Protection
Block Ciphers and Side Channel Protection Gregor Leander ECRYPT-CSA@CHANIA-2017 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual
More informationHash functions and Cayley graphs: The end of the story?
Hash functions and Cayley graphs: The end of the story? Christophe Petit Microelectronics Laboratory Ch. Petit - Montréal WCSC - April 2010 1 Hash functions H : {0, 1} {0, 1} n Microelectronics Laboratory
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationQuantum Computing Lecture 6. Quantum Search
Quantum Computing Lecture 6 Quantum Search Maris Ozols Grover s search problem One of the two most important algorithms in quantum computing is Grover s search algorithm (invented by Lov Grover in 1996)
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationGeneric Universal Forgery Attack on Iterative Hash-based MACs
Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University,
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More information