Cryptanalysis of the GOST Hash Function
|
|
- Jewel Powers
- 6 years ago
- Views:
Transcription
1 Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications (IAIK), Graz University o Technology, Ineldgasse 16a, 8010 Graz, Austria Florian.Mendel@iaik.tugraz.at 2 Institute o Mathematics and Cryptology, Faculty o Cybernetics, Military University o Technology, ul. Kaliskiego 2, Warsaw, Poland Abstract. In this article, we analyze the security o the GOST hash unction. The GOST hash unction, deined in the Russian standard GOST , is an iterated hash unction producing a -bit hash value. As opposed to most commonly used hash unctions such as MD5 and SHA-1, the GOST hash unction deines, in addition to the common iterative structure, a checksum computed over all input message blocks. This checksum is then part o the inal hash value computation. As a result o our security analysis o the GOST hash unction, we present the irst collision attack with a complexity o about evaluations o the compression unction. Furthermore, we are able to signiicantly improve upon the results o Mendel et al. with respect to preimage and second preimage attacks. Our improved attacks have a complexity o about evaluations o the compression unction. Keywords: cryptanalysis, hash unction, collision attack, second preimage attack, preimage attack 1 Introduction A cryptographic hash unction H maps a message M o arbitrary length to a ixed-length hash value h. Inormally, a cryptographic hash unction has to ulill the ollowing security requirements: Collision resistance: it is practically ineasible to ind two messages M and M, with M M, such that H(M) = H(M ). Second preimage resistance: or a given message M, it is practically ineasible to ind a second message M M such that H(M) = H(M ). Preimage resistance: or a given hash value h, it is practically ineasible to ind a message M such that H(M) = h. The resistance o a hash unction to collision and (second) preimage attacks depends in the irst place on the length n o the hash value. Regardless o how a hash unction is designed, an adversary will always be able to ind preimages or second preimages ater trying out about 2 n dierent messages. Finding collisions
2 requires a much smaller number o trials: about 2 n/2 due to the birthday paradox. I the internal structure o a particular hash unction allows collisions or (second) preimages to be ound more eiciently than what could be expected based on its hash length, then the unction is considered to be broken. For a ormal treatment o the security properties o cryptographic hash unctions we reer to [18, 22]. Recent cryptanalytic results on hash unctions mainly ocus on collision attacks. Collisions have been shown or many commonly used hash unctions (see or instance [5, 6, 16, 24 26]), but we are not aware o any published collision attack on the GOST hash unction. In this article, we will present a security analysis o the GOST hash unction with respect to both collision and (second) preimage resistance. The GOST hash unction is widely used in Russia and is speciied in the Russian national standard GOST [3]. This standard has been developed by GUBS o Federal Agency Government Communication and Inormation and All-Russian Scientiic and Research Institute o Standardization. The GOST hash unction is the only hash unction that can be used in the Russian digital signature algorithm GOST [2]. Thereore, it is also used in several RFCs and implemented in various cryptographic applications (as or instance openssl). The GOST hash unction is an iterated hash unction producing a -bit hash value. As opposed to most commonly used hash unctions such as MD5 and SHA-1, the GOST hash unction deines, in addition to the common iterative structure, a checksum computed over all input message blocks. This checksum is then part o the inal hash value computation. The GOST standard also speciies the GOST block cipher [1], which is the main building block o the hash unction. Thereore, it can be considered as a block-cipher-based hash unction. While there have been published several cryptanalytic results regarding the block cipher (see or instance [4, 11, 14, 19, 20]), only a ew results regarding the hash unction have been published to date. Note that or the remainder o this article we reer to the GOST hash unction simply as GOST. Related Work. In [7], Gauravaram and Kelsey show that the generic attacks on hash unctions based on the Merkle-Damgård design principle can be extended to hash unctions with linear/modular checksums independent o the underlying compression unction. Hence, second preimages can be ound or long messages (consisting o 2 t message blocks) or GOST with a complexity o 2 n t evaluations o the compression unction. At FSE 2008, Mendel et al. have presented the irst attack on GOST exploiting the internal structure o the compression unction. The authors exploit weaknesses in the internal structure o GOST to construct pseudo-preimages or the compression unction o GOST with a complexity o about compression unction evaluations. Furthermore, they show how the attack on the compression unction o GOST can be extended to a (second) preimage attack on the hash unction. The attack has a complexity o about evaluations o the compression unction o GOST. Both attacks are structural attacks in the sense that they are independent o the underlying block cipher.
3 Our Contribution. We improve upon the state o the art as ollows. First, we show that or plaintexts o a speciic structure, we can construct ixed-points in the GOST block cipher eiciently. Second, based on this property in the GOST block cipher we then show how to construct collisions in the compression unction o GOST with a complexity o 2 96 compression unction evaluations. This collision attack on the compression unction is then extended to a collision attack on the GOST hash unction. The extension is possible by combining a multicollision attack and a generalized birthday attack on the checksum. The attack has a complexity o about evaluations o the compression unction o GOST. Furthermore, we show that due to the generic nature o our attack we can construct meaningul collisions, i.e. collisions in the chosen-preix setting with the same complexity. Note that in most cases constructing meaningul collisions is more complicated than constructing (random) collisions (see or instance MD5 [21]). Third, we show how the (second) preimage attack o Mendel et al. can be improved by additionally exploiting weaknesses in the GOST block cipher. The new improved (second) preimage attack has a complexity o evaluations o the compression unction o GOST. Table 1. Comparison o results or the GOST hash unction. source attack complexity attack Gauravaram and Kelsey second preimages or long CT-RSA 2008 [7] 2 t messages (2 t blocks) Mendel et al. preimages and FSE 2008 [15] second preimages collisions meaningul collisions this work (chosen-preix) preimages and second preimages The remainder o this article is structured as ollows. In Section 2, we give a short description o the GOST hash unction. In Section 3, we describe the GOST block cipher and show how to construct ixed-points eiciently. We use this in the collision attack on the hash unction in Section 4. In Section 5, we show a new improved (second) preimage attack or the hash unction. Finally, we present conclusions in Section 6. 2 The Hash Function GOST GOST is an iterated hash unction that processes message blocks o bits and produces a -bit hash value. I the message length is not a multiple o,
4 STEP STEP 1 STEP 3 STEP t Fig. 1. Structure o the GOST hash unction. an unambiguous padding method is applied. For the description o the padding method we reer to [3]. Let M = M 1 M 2 M t be a t-block message (ater padding). The hash value h = H(M) is computed as ollows (see Fig. 1): H 0 = IV (1) H i = (H i 1, M i ) or 0 < i t (2) H t+1 = (H t, M ) (3) H t+2 = (h t+1, Σ) = h, (4) where Σ = M 1 M 2 M t, and denotes addition modulo 2. IV is a predeined initial value and M represents the bit-length o the entire message prior to padding. As can be seen in (4), GOST speciies a checksum (Σ) consisting o the modular addition o all message blocks, which is then input to the inal application o the compression unction. Computing this checksum is not part o most commonly used hash unctions such as MD5 and SHA-1. The compression unction o GOST basically consist o three parts (see also Fig. 2): the state update transormation, the key generation, and the output transormation. In the ollowing, we will describe these parts in more detail. 2.1 State Update Transormation The state update transormation o GOST consists o 4 parallel instances o the GOST block cipher, denoted by E. The intermediate hash value H i 1 is split into our 64-bit words h 3 h 2 h 1 h 0. Each 64-bit word is used in one stream o the state update transormation to construct the -bit value S = s 3 s 2 s 1 s 0 in the ollowing way: s 0 = E(k 0, h 0 ) (5) s 1 = E(k 1, h 1 ) (6) s 2 = E(k 2, h 2 ) (7) s 3 = E(k 3, h 3 ) (8) where E(K, P ) denotes the encryption o the 64-bit plaintext P under the - bit key K. We reer to Section 3, or a detailed description o the GOST block cipher.
5 i i i Fig. 2. The compression unction o GOST 2.2 Key Generation The key generation o GOST takes as input the intermediate hash value H i 1 and the message block M i to compute a 1024-bit key K. This key is split into our -bit keys k i, i.e. K = k 3 k 0, where each key k i is used in one stream as the key or the GOST block cipher E in the state update transormation. The our keys k 0, k 1, k 2, and k 3 are computed in the ollowing way: k 0 = P (H i 1 M i ) (9) k 1 = P (A(H i 1 ) A 2 (M i )) (10) k 2 = P (A 2 (H i 1 ) Const A 4 (M i )) (11) k 3 = P (A(A 2 (H i 1 ) Const) A 6 (M i )) (12) where A and P are linear transormations and Const is a constant. Note that A 2 (x) = A(A(x)). For the deinition o the linear transormation A and P as well as the value o Const, we reer to [3], since we do not need it or our analysis. 2.3 Output Transormation The output transormation o GOST combines the intermediate hash value H i 1, the message block M i, and the output o the state update transormation S to
6 compute the output value H i o the compression unction. It is deined as ollows. H i = ψ 61 (H i 1 ψ(m i ψ 12 (S))) (13) The linear transormation ψ : {0, 1} {0, 1} is given by: ψ(γ ) = (γ 0 γ 1 γ 2 γ 3 γ 12 γ 15 ) γ 15 γ 14 γ 1 (14) where Γ is split into sixteen 16-bit words, i.e. Γ = γ 15 γ 14 γ 0. 3 The GOST Block Cipher The GOST block cipher is speciied by the Russian government standard GOST [1]. Several cryptanalytic results have been published or the block cipher (see or instance [4, 11, 14, 19, 20]). However, i the block cipher is used in a hash unction then we are acing a dierent attack scenario: the attacker has ull control over the key. First results considering this act or the security analysis o hash unctions have been presented or instance in [13]. We will exploit having ull control over the key or constructing ixed-points or the GOST block cipher. 3.1 Description o the block cipher The GOST block cipher is a 32 round Feistel network with a block size o 64 bits and a key length o bits. The round unction o the GOST block cipher consists o a key addition, eight dierent 4 4 S-boxes S j (0 j < 8) and a cyclic rotation (see also Figure 3). For the deinition o the S-boxes we reer to [3], since we do not need them or our analysis. L i 32 <<< 11 S 7 S 6 sk i R i 32 S 0 L i+1 R i+1 Fig. 3. One round o the GOST block cipher. The key schedule o the GOST block cipher deines the subkeys sk i derived rom the -bit K = k 7 k 6 k 0 as ollows { k i mod 8, i = 0,..., 23, sk i = (15) k 7 (i mod 8), i = 24,..., 31.
7 3.2 Constructing a Fixed-Point In the ollowing, we will show how to eiciently construct ixed-points in the GOST block cipher. It is based on the ollowing observation. Note that a similar observation was used by Kara in [10] or a chosen plaintext attack on the GOST block cipher. Observation 1 Assume we are given a plaintext P = L 0 R 0 with L 0 = R 0. Then we can construct a ixed-point or the block cipher by constructing a ixedpoint in the irst 8 rounds. In the ollowing, we reer to a plaintext P = L 0 R 0 with L 0 = R 0 as a symmetric plaintext (or or short as symmetric). Note that by using the block cipher or constructing a hash unction, an attacker has ull control over the key. Furthermore, each word o the key is only used once in the irst 8 rounds o the block cipher. Hence, constructing a ixed-point in the irst 8 rounds can be done eiciently. First, we choose random values or the irst 6 words o the key (subkeys sk 0,..., sk 5 ) and compute L 6 and R 6. Next, we choose the last 2 words o the key (subkeys sk 6 and sk 7 ) such that L 8 = L 0 and R 8 = R 0. With this method we can construct a ixed-point in the irst 8 rounds o the block cipher with a computational cost o 8 round computations. It is easy to see that i we have a ixed-point in the irst 8 rounds, then this is also a ixed-point or rounds 9-16 and since the same subkeys are used in these rounds. In the last 8 rounds the subkey is put in the opposite order, see (15). However, since the GOST block cipher is a Feistel network, we have here (rounds 25-32) a decryption i L 24 = R 24. This implies that we have a ixedpoint or the GOST block cipher (or all 32 rounds) i the plaintext is symmetric. Hence, or symmetric plaintexts we can eiciently construct ixed-points or the GOST block cipher. 4 Collision Attack on GOST In this section, we present a collision attack on the GOST hash unction with a complexity o about evaluations o the compression unction. First, we will show how to construct collisions or the compression unction o GOST, and based on this attack we then describe the collision attack or the hash unction. For the remainder o this article we ollow the notation o [15]. 4.1 Constructing a Collision in the Compression Function In the ollowing, we show how to construct a collision in the compression unction o GOST. The attack is based on structural weaknesses o the compression unction. These weaknesses have been used in [15] to construct pseudo-collisions and pseudo-preimages or the compression unction o GOST with a complexity o 2 96 and 2 192, respectively.
8 Now we show a collisions attack on the compression unction by additionally exploiting weaknesses in the underlying GOST block cipher. Since the transormation ψ is linear, (13) can be written as: H i = ψ 61 (H i 1 ) ψ 62 (M i ) ψ 74 (S) (16) Furthermore, ψ is invertible and hence (16) can be written as: ψ 74 (H i ) = ψ 13 (H i 1 ) ψ 12 (M i ) S (17) }{{}}{{}}{{} X Y Z Note that Y depends linearly on H i 1 and Z depends linearly on M i. As opposed to Y and Z, S depends on both H i 1 and M i processed by the block cipher E. For the ollowing discussion, we split the -bit words X, Y, Z deined in (17) into 64-bit words: X = x 3 x 2 x 1 x 0 Y = y 3 y 2 y 1 y 0 Z = z 3 z 2 z 1 z 0 Now, (17) can be written as: x 0 = y 0 z 0 s 0 (18) x 1 = y 1 z 1 s 1 (19) x 2 = y 2 z 2 s 2 (20) x 3 = y 3 z 3 s 3 (21) Now assume, that we can ind 2 96 message blocks M j i, where M i k Mi t with k t, such that all message blocks produce the same value x 0. Then we know that due to the birthday paradox two o these message blocks also lead to the same values x 1, x 2, and x 3. In other words, we have constructed a collision or the compression unction o GOST. The attack has a complexity o about 2 96 evaluations o the compression unction o GOST. Based on this short description, we will show now how to construct message blocks M j i, which all produce the same value x 0. Assume, we want to keep the value s 0 in (18) constant. Since s 0 = E(k 0, h 0 ) and k 0 depends linearly on the message block M i, we have to ind keys k j 0 and hence, message blocks M j i, which all produce the same value s 0. This can be done by exploiting the act that in the GOST block cipher ixed-points can be constructed eiciently or symmetric plaintexts (see Section 3.2). In other words, i h 0 is symmetric then we can construct 2 96 message blocks M j i where s 0 = h 0, and (18) becomes x 0 = y 0 z 0 h 0. (22) However, to ind message blocks M j i or which x 0 has the same value, we still have to ensure that also the term y 0 z 0 in (22) has the same value or all message blocks. Thereore, we get the ollowing equation (64 equations over GF (2)) y 0 z 0 = c (23)
9 where c is an arbitrary 64-bit value. We know that y 0 depends linearly on H i 1 and z 0 depends linearly on M i, see (17). Thereore, the choice o the message block M i and accordingly, the choice o the key k 0, is restricted by 64 equations over GF (2). Hence, or constructing a ixed-point in the GOST block cipher we have to consider these restrictions. For the ollowing discussion let A k 0 = d (24) denote the set o 64 equations over GF (2) which restricts the choice o the key k 0, where A is a 64 matrix over GF (2) and d is a 64-bit vector. It ollows rom Observation 1 that or constructing a ixed-point in the GOST block cipher (or symmetric plaintexts), it is suicient to construct a ixed-point in the irst 8 rounds. Hence, one method to construct an appropriate ixed-point would be to construct many arbitrary ixed-points and then check i (24) holds. With this method we ind an appropriate ixed-point with a complexity o about Since we need 2 96 such ixed-points or the collision attack, this would lead to a complexity o evaluations o the compression unction o GOST. However, we can improve this complexity by using a meet-in-the-middle approach (see also Fig. 4). L 0 = R 0 sk 0 sk 1 sk 2 sk 3 sk 0 A 1 sk 1 sk 2 d 1 sk 3 sk 0 sk 1 sk 2 A 1 A 2 sk 3 sk 4 d 1 d 2 d sk 4 sk 5 sk 6 sk 7 sk 4 A 2 sk 5 sk 6 d 2 sk 7 sk 5 sk 6 sk 7 L 8 = R 8 = L 0 Fig. 4. Constructing a ixed-point in the GOST block cipher. We split the irst 8 rounds o the GOST block cipher into 2 parts P 1 (rounds 1-4) and P 2 (rounds 5-8). Since the subkey used in the irst 8 rounds is restricted by A k 0, we also split this system o 64 equations over GF (2) into two parts: sk 0 sk 4 A 1 sk 1 sk 2 = d 1 A 2 sk 5 sk 6 = d 2 (25) sk 3 sk 7
10 where A = [A 1 A 2 ] and d = d 1 d 2. Now we can apply a meet-in-the-middle attack to construct 2 64 appropriate ixed-points or the GOST block cipher with a complexity o It can be summarized as ollows. 1. Choose a random value or d 1. This determines also d 2 = d d For all 2 64 subkeys sk 0,..., sk 3 which ulill (25) compute L 4, R 4 and save the result in the list L. 3. For all 2 64 subkeys sk 4,..., sk 7 which ulill (25) compute rounds 4-8 backward to get L 4, R 4 and check or a matching entry in the list L. Note that since there are 2 64 entries in the list L we expect to always ind a matching entry in the list L. Hence, we get 2 64 appropriate ixed-points or the GOST block cipher with a complexity o about 2 64 and memory requirements o bytes. By repeating this attack about 2 32 times or dierent choices o d 1, we get 2 96 appropriate ixed-points. In other words, we ound 2 96 keys k j 0 which all produce the same value s 0 = E(k j 0, h 0) and additionally ulill (24). Consequentially, we have 2 96 message blocks M j i which all result in the same value x 0 with X = ψ 74 (H i ). By applying a birthday attack we will ind two message blocks Mi k and Mi t with k t where also x 1, x 2, and x 3 are equal. In other words, we can ind a collision or the compression unction o GOST with a complexity o about 2 96 instead o evaluations o the compression unction o GOST. 4.2 Constructing Collisions or the Hash Function In this section, we show how the collision attack on the compression unction can be extended to the hash unction. The attack has a complexity o about evaluations o the compression unction o GOST. Note that the hash unction deines, in addition to the common iterative structure, a checksum computed over all input message blocks which is then part o the inal hash computation. Thereore, to construct a collision in the hash unction we have to construct a collision in the iterative structure (i.e. chaining variables) as well as in the checksum. To do this we use multicollisions. A multicollision is a set o messages o equal length that all lead to the same hash value. As shown in [9], constructing a 2 t collision, i.e. 2 t messages consisting o t message blocks which all lead to the same hash value, can be done with a complexity o about t 2 x or any iterated hash unction, where 2 x is the cost o constructing a collision in the compression unction. As shown in Section 4.1, collisions or the compression unction o GOST can be constructed with a complexity o 2 96 i h 0 is symmetric in H i 1 = h 3 h 2 h 1 h 0. Note that by using an additional message block M i 1 we ind a chaining variable H i 1 = (H i 2, M i 1 ), where h 0 is symmetric with a complexity o 2 32 compression unction evaluations. Hence, we can construct a collision with a complexity o about 128 ( ) evaluations o the compression unction o GOST. With this method we get messages M that all lead to the same value H as depicted in Figure 5.
11 M 2 2 M M H 0 H 1 H 2 H 3 H 4 H 254 H 255 H M 1 M 3 M 255 M 2 1 M M Fig. 5. Constructing a multicollision or GOST. To construct a collision in the checksum o GOST we have to ind 2 distinct messages which produce the same value Σ = M 1 M j2 2 M 255 M j with j 2, j 4,... j {1, 2}. By applying a birthday attack we can ind these 2 messages with a complexity o about additions over GF () and memory requirements o bytes. Due to the high complexity and memory requirements o the birthday attack, one could see this part as the bottleneck o the attack. However, the runtime and memory requirements can signiicantly be reduced by applying a generalized birthday attack introduced by Wagner in [23]. Wagner shows that i l is a power o two then the memory requirements and the running time or the generalized birthday problem is given by 2 n/(1+lg l) and l 2 n/(1+lg l), respectively. Note that in the standard birthday attack we have l = 2 1. Let us now consider the case l = 2 3. Then the birthday attack in the second part o the attack has a complexity o /4 = 2 67 and uses lists o size 2 /4 = In detail, we need to construct 8 lists o size 2 64 in the irst step o the attack. Hence, we need to construct a collision in the irst part o the attack to get 8 lists o the needed size. Constructing this multicollision has a complexity o about 8 64 ( ) = compression unction evaluations and memory requirements o 8 64 (2 64) = 2 16 bytes. Hence, we can construct a collision or the GOST hash unction with a complexity o about and memory requirements o = 2 70 bytes by using a generalized birthday attack with l = 8 lists. Furthermore, the colliding message pair consists o 8 (2 64) = 1024 message blocks. Note that l = 8 is the best choice or the attack. On one hand i we choose l > 8 then the memory requirements o the attack would decrease but the attack complexity would increase. Since we need about 2 70 bytes o memory or constructing ixed-points in the GOST block cipher, this does not improve the attack. On the other hand i we choose l < 8 then the memory requirements o the attack would be signiicantly higher. A Remark on the Length Extension Property. Once, we have ound a collision, i.e. collision in the iterative part (chaining variables) and the checksum, we can construct many more collisions by appending an arbitrary message block. Note that this is not necessarily the case or a straight-orward birthday attack. By applying a birthday attack we construct a collision in the inal hash value (ater the last iteration) and appending a message block is not possible. Hence,
12 we need a collision in the iterative part as well as in the checksum or the extension property. Note that by combining the generic birthday attack and multicollisions, one can construct collisions in both parts with a complexity o about = while our attack has a complexity o A Remark on Meaningul Collisions. In a chosen-preix setting, an attacker searches or a message pair (M, M ) such that or a given hash unction H H(M pre M) = H(M pre M ) (26) or any pair (M pre, M pre). In [21], Stevens et al. show that such a more powerul attack exists or MD5. Furthermore, they describe an application o this attack or colliding X.509 certiicates. Note that their attack (in a chosen-preix setting) has a complexity o 2 50, while the currently best published collision attack or MD5 has a complexity o about 2 30 evaluations o the compression unction [12]. However, in the case o GOST the collision attack in the chosen-preix setting has the same complexity as the collision attack. Due to the generic nature o the collision attack, dierences in the chaining variables can be canceled eiciently. Assume that the chosen preix (M pre, M pre) consists o t message blocks resulting in the chaining variables H t and H t. Then the attack can be summarized as ollows. 1. We have to ind two message blocks M t+1 and M t+1 such that h 0 = h 0 = 0, where H t+1 = h 3 h 2 h 1 h 0 and H t+1 = h 3 h 2 h 1 h 0. This has a complexity o about evaluations o the compression unction o GOST. 2. Now we have to ind two message blocks M t+2 and M t+2 such that H t+2 = H t+2. This can be done similar as constructing a collision in the compression unction o GOST (see Section 4.1). First, we choose a random value or c in (22) and construct 2 96 message blocks M t+2, where x 0 is equal. Second, we construct 2 96 message blocks M t+2, where x 0 = x 0. To guarantee that x 0 = x 0 we have to adjust c in (22) such that the ollowing equation holds. x 0 = x 0 = y 0 z 0 h 0 = c h 0 By applying a meet-in-the-middle attack we will ind two message blocks M t+2 and M t+2 which produce the same chaining variables (H t+2 = H t+2). This step o the attack has a complexity o evaluations o the compression unction o GOST. 3. Once we have constructed a collision in the iterative part (chaining variables), we have to construct a collision in the checksum as well. Thereore, we proceed as described in Section 4.2. By generating a collision and applying a generalized birthday attack with l = 8 we can construct a collision in the checksum o GOST with a complexity o compression unction evaluations and memory requirements o 2 70 bytes. Hence, we can construct meaningul collisions, i.e. collisions in the chosen-preix setting, or the GOST hash unction with a complexity o about compression unction evaluations.
13 5 Improved Preimage Attack or the Hash Function In a preimage attack, we want to ind, or a given hash value h, a message M such that H(M) = h. As we will show in the ollowing, or GOST we can construct preimages o h with a complexity o about evaluations o the compression unction o GOST. Beore describing the attack, we will irst show how to construct preimages or the compression unction o GOST. Based on this attack we then present the preimage attack or the hash unction. 5.1 A Preimage Attack or the Compression Function In a similar way as we have constructed a collision in Section 4.1, we can construct a preimage or the compression unction o GOST. In the attack, we have to ind a message block M i, such that (H i 1, M i ) = H i or the given values H i 1 and H i. Note that the value o H i determines x 3,..., x 0, since X = ψ 74 (H i ). Furthermore, assume that h 0 (in H i 1 = h 3 h 0 ) is symmetric. Then the attack can be summarized as ollows. 1. Since we will construct ixed-points or the GOST block cipher such that s 0 = E(k 0, h 0 ) = h 0, we have to adjust c in (22) such that x 0 = y 0 z 0 h 0 = c h 0 holds with X = ψ 74 (H i ). Once c is ixed, this also determines d in (24). 2. Choose a random value or d 1 (this also determines d 2 = d d 1 ) and apply a meet-in-the-middle attack to obtain 2 64 message blocks M j i or which x 0 is correct. Note that this step o the attack has memory requirements o 2 70 bytes. 3. For each message block compute X and check i x 3, x 2, and x 1 are correct. This holds with a probability o Thus, ater testing all 2 64 message blocks, we will ind a correct message block with a probability o = Note that we can repeat the attack about 2 64 times or dierent choices o d 1. Hence, we will ind a preimage or the compression unction o GOST with a probability o about 2 64 and a complexity o about evaluations o the compression unction o GOST and memory requirements o 2 70 bytes. 5.2 Extending the Attack to the Hash Function Now, we show how the preimage attack on the compression unction can be extended to the GOST hash unction. The attack has a complexity o about evaluations o the compression unction o GOST. Moreover, the preimage consists o 257 message blocks, i.e. M = M 1 M 257. The preimage attack consists o our steps as also shown in Figure 6.
14 m t 1 STEP STEP 1 STEP 2 STEP 3 Fig. 6. Preimage Attack on GOST. STEP 1: Multicollisions or GOST. For the preimage attack on the hash unction, we construct a 2 collision. This means, we have 2 messages M = M j1 j2 j 1 M2 1 M or 2 j 1, j 2,..., jt {1, 2} consisting o blocks that all lead to the same hash value H. This results in a complexity o about = evaluations o the compression unction o GOST. Furthermore, the memory requirement is about 2 message blocks, i.e. we need to store 2 14 bytes. With these multicollisions, we are able to construct the needed value o Σ m in STEP 4 o the attack (where the superscript m stands or multicollision ). STEP 2: Constructing H 258 Including the Length Encoding. In this step, we have to ind a message block M 257 such that or the given H determined in STEP 1, and or M determined by our assumption that we want to construct preimages consisting o 257 message blocks, we ind a H 258 = h 3 h 0 where h 0 is symmetric. Note that since we want to construct a message that is a multiple o bits, we choose M 257 to be a ull message block and hence no padding is needed. We proceed as ollows. Choose an arbitrary message block M 257 and compute H 258 as ollows: H 257 = (H, M 257 ) H 258 = (H 257, M ) where M = ( + 1). Then we check i h 0 in the resulting value H 258 is symmetric. This has a probability o Hence, this step o the attack requires evaluations o the compression unction o GOST. STEP 3: Preimages or the Last Iteration. To construct a preimage or the last iteration o GOST we proceed as described in Section 5.1. Since h 0 in H 258 is symmetric, we will ind a preimage or the last iteration o GOST with a probability o 2 64 (and a complexity o about ). Thereore, we have to repeat this step o the attack about 2 64 times or dierent values o H 258 (where h 0 is symmetric) to ind a preimage or the last iteration. Hence, inishing this step o the attack has a complexity o about 2 64 ( ) evaluations o the compression unction o GOST. Once we have ound a preimage or the last iteration, also the value Σ m is determined, since Σ m = Σ t M 257.
15 STEP 4: Constructing Σ m. In STEP 1, we constructed a 2 collision in the irst iterations o the hash unction. From this set o messages that all lead to the same H, we now have to ind a message M = M j1 j2 j 1 M2 M or j 1, j 2,..., j {1, 2} that leads to the value o Σ m = Σ t M 257. This can be done by applying a meet-in-the-middle attack. First, we save all values or Σ 1 = M j1 1 M j2 2 M j in the list L. Note that we have in total 2128 values in L. Second, we compute Σ 2 = M j M j M j and check i Σ m Σ 2 is in the list L. Ater testing all values, we expect to ind a matching entry in the list L and hence a message M = M j1 j2 j 1 M2 M that leads to Σ m = Σ t M 257. This step o the attack has a complexity o and a memory requirement o = bytes. Once we have ound M, we ound a preimage or GOST consisting o +1 message blocks, namely M M 257. The Attack Complexity. The complexity o the preimage attack is determined by the computational eort o STEP 2 and STEP 3, i.e. a preimage o h can be ound in about evaluations o the compression unction. The memory requirements or the preimage attack are determined by inding M in STEP 4, since we need to store bytes or the meet-in-the-middle attack. Due to the high memory requirements o STEP 4, one could see this part as the bottleneck o the attack. However, the memory requirements o STEP 4 can signiicantly be reduced by applying a memory-less variant o the meet-in-the-middle attack introduced by Quisquater and Delescaille in [17]. Hence, a preimage can be constructed or the GOST hash unction with a complexity o evaluations o the compression unction and memory requirements o about 2 70 bytes. 5.3 A Remark on Second Preimages Note that the presented preimage attack on GOST also implies a second preimage attack. In this case, we are not given only the hash value h but also a message M that results in this hash value. We can construct or any given message a second preimage in the same way as we construct preimages. The dierence is, that the second preimage will always consist o at least 257 message blocks. Thus, we can construct a second preimage or any message M (o arbitrary length) with a complexity o about evaluations o the compression unction o GOST. 6 Conclusion In this article, we have presented a collision attack and a (second) preimage attack on the GOST hash unction. Both the collision and the (second) preimage attack are based on weaknesses in the GOST block cipher, namely ixed-points can be constructed eiciently or plaintexts o a speciic structure. The internal structure o the compression unction allows to construct collisions with a complexity o about 2 96 evaluations o the compression unction. This alone would
16 not render the hash unction insecure. The act that we can construct multicollisions or any iterated hash unction including the GOST hash unction and the possibility o applying a (generalized) birthday attack to construct also a collision in the checksum make the collision attack on the hash unction possible. The attack has a complexity o about compression unction evaluations. Furthermore, the generic nature o the attack allows us to construct meaningul collisions, i.e. collisions in the chosen-preix setting, with the same complexity. In a similar way as we construct collisions or the hash unction, we can construct (second) preimages or the hash unction with a complexity o about evaluations o the compression unction. This improves the previous (second) preimage attack o Mendel et al. by a actor o Even though the complexities o our attacks are ar beyond o being practical, they point out weaknesses in the design principles o the hash unction GOST. Acknowledgements The authors wish to thank Mario Lamberger, Vincent Rijmen, and the anonymous reerees or useul comments and discussions. The work in this paper has been supported in part by the Secure Inormation Technology Center - Austria (A-SIT) and by the Austrian Science Fund (FWF), project P Reerences 1. GOST , Systems o the Inormation Treatment. Cryptographic Security. Algorithms o the Cryptographic Transormation, (In Russian). 2. GOST , Inormation Technology Cryptographic Data Security Produce and Check Procedures o Electronic Digital Signature Based on Asymmetric Cryptographic Algorithm, (In Russian). 3. GOST , Inormation Technology Cryptographic Data Security Hashing Function, (In Russian). 4. Alex Biryukov and David Wagner. Advanced Slide Attacks. In Bart Preneel, editor, EUROCRYPT, volume 1807 o LNCS, pages Springer, Christophe De Cannière, Florian Mendel, and Christian Rechberger. Collisions or 70-Step SHA-1: On the Full Cost o Collision Search. In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, Selected Areas in Cryptography, volume 4876 o LNCS, pages Springer, Christophe De Cannière and Christian Rechberger. Finding SHA-1 Characteristics: General Results and Applications. In Xuejia Lai and Keei Chen, editors, ASIACRYPT, volume 4284 o LNCS, pages Springer, Praveen Gauravaram and John Kelsey. Linear-XOR and Additive Checksums Don t Protect Damgård-Merkle Hashes rom Generic Attacks. In Tal Malkin, editor, CT-RSA, volume 4964 o LNCS, pages Springer, Daniel Joscák and Jirí Tuma. Multi-block Collisions in Hash Functions Based on 3C and 3C+ Enhancements o the Merkle-Damgård Construction. In Min Surp Rhee and Byoungcheon Lee, editors, ICISC, volume 4296 o LNCS, pages Springer, 2006.
17 9. Antoine Joux. Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In Matthew K. Franklin, editor, CRYPTO, volume 3152 o LNCS, pages Springer, Orhun Kara. Relection Attacks on Product Ciphers. Cryptology eprint Archive, Report 2007/043, John Kelsey, Bruce Schneier, and David Wagner. Key-Schedule Cryptoanalysis o IDEA, G-DES, GOST, SAFER, and Triple-DES. In Neal Koblitz, editor, CRYPTO, volume 1109 o LNCS, pages Springer, Vlastimil Klima. Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology eprint Archive, Report 2006/105, Lars R. Knudsen and Vincent Rijmen. Known-Key Distinguishers or Some Block Ciphers. In Kaoru Kurosawa, editor, ASIACRYPT, volume 4833 o LNCS, pages Springer, Youngdai Ko, Seokhie Hong, Wonil Lee, Sangjin Lee, and Ju-Sung Kang. Related Key Dierential Attacks on 27 Rounds o XTEA and Full-Round GOST. In Bimal K. Roy and Willi Meier, editors, FSE, volume 3017 o LNCS, pages Springer, Florian Mendel, Norbert Pramstaller, and Christian Rechberger. A (Second) Preimage Attack on the GOST Hash Function. In Kaisa Nyberg, editor, FSE, volume 5086 o LNCS, pages Springer, Florian Mendel and Vincent Rijmen. Cryptanalysis o the Tiger Hash Function. In Kaoru Kurosawa, editor, ASIACRYPT, volume 4833 o LNCS, pages Springer, Jean-Jacques Quisquater and Jean-Paul Delescaille. How Easy is Collision Search. New Results and Applications to DES. In Gilles Brassard, editor, CRYPTO, volume 435 o LNCS, pages Springer, Phillip Rogaway and Thomas Shrimpton. Cryptographic Hash-Function Basics: Deinitions, Implications, and Separations or Preimage Resistance, Second- Preimage Resistance, and Collision Resistance. In Bimal K. Roy and Willi Meier, editors, FSE, volume 3017 o LNCS, pages Springer, Markku-Juhani O. Saarinen. A chosen key attack against the secret S-boxes o GOST, unpublished manuscript. 20. Haruki Seki and Toshinobu Kaneko. Dierential Cryptanalysis o Reduced Rounds o GOST. In Douglas R. Stinson and Staord E. Tavares, editors, Selected Areas in Cryptography, volume 2012 o LNCS, pages Springer, Marc Stevens, Arjen K. Lenstra, and Benne de Weger. Chosen-Preix Collisions or MD5 and Colliding X.509 Certiicates or Dierent Identities. In Moni Naor, editor, EUROCRYPT, volume 4515 o LNCS, pages Springer, Douglas R. Stinson. Some Observations on the Theory o Cryptographic Hash Functions. Des. Codes Cryptography, 38(2): , David Wagner. A Generalized Birthday Problem. In Moti Yung, editor, CRYPTO, volume 2442 o LNCS, pages Springer, Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, and Xiuyuan Yu. Cryptanalysis o the Hash Functions MD4 and RIPEMD. In Ronald Cramer, editor, EUROCRYPT, volume 3494 o LNCS, pages Springer, Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In Victor Shoup, editor, CRYPTO, volume 3621 o LNCS, pages Springer, Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In Ronald Cramer, editor, EUROCRYPT, volume 3494 o LNCS, pages Springer, 2005.
A (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationThe Impact of Carries on the Complexity of Collision Attacks on SHA-1
The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied
More informationTheImpactofCarriesontheComplexityof Collision Attacks on SHA-1
TheImpactoCarriesontheComplexityo Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute or Applied Inormation Processing and Communications
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationThe SHA Family of Hash Functions: Recent Results
The SHA Family of Hash Functions: Recent Results Christian Rechberger Vincent Rijmen {Christian.Rechberger,Vincent.Rijmen}@iaik.tugraz.at Institute for Applied Information Processing and Communications
More informationCryptanalysis of Twister
Cryptanalysis of Twister Florian Mendel and Christian Rechberger and Martin chläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a,
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationPreimages for Step-Reduced SHA-2
Preimages for Step-Reduced SHA-2 Jian Guo 1 and Krystian Matusiewicz 2 1 Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore guojian@ntu.edu.sg
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationImpact of Rotations in SHA-1 and Related Hash Functions
Impact of Rotations in SHA-1 and Related Hash Functions Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationCryptanalysis of a class of cryptographic hash functions
Cryptanalysis o a class o cryptographic hash unctions Praveen Gauravaram 1 and John Kelsey 2 1 Technical University o Denmark, Denmark Inormation Security Institute, Australia p.gauravaram@gmail.com 2
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationPreimage Attacks on 3-Pass HAVAL and Step-Reduced MD5
Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5 Jean-Philippe Aumasson 1, Willi Meier 1, and Florian Mendel 2 1 FHNW, Windisch, Switzerland 2 IAIK, Graz University of Technology, Graz, Austria Abstract.
More informationFurther progress in hashing cryptanalysis
Further progress in hashing cryptanalysis Arjen K. Lenstra Lucent Technologies, Bell Laboratories February 26, 2005 Abstract Until further notice all new designs should use SHA-256. Existing systems using
More informationCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationPreimage Attacks on 3, 4, and 5-pass HAVAL
Preimage Attacks on 3, 4, and 5-pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationCryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512
Downloaded from orbit.dtu.dk on: Jan 8, 219 Cryptanalysis of the 1-Round Hash and Full Compression Function of SHAvite-3-512 Gauravaram, Praveen; Leurent, Gaëtan; Mendel, Florian; Plasencia, Maria Naya;
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationRebound Attack on Reduced-Round Versions of JH
Rebound Attack on Reduced-Round Versions of JH Vincent Rijmen 1,2, Deniz Toz 1 and Kerem Varıcı 1, 1 Katholieke Universiteit Leuven Department of Electronical Engineering ESAT SCD-COSIC, and Interdisciplinary
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationMartin Cochran. August 24, 2008
Notes on the Wang et al. 2 63 SHA-1 Differential Path Martin Cochran August 24, 2008 Abstract Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a2 63 attack by Wang
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationRebound Distinguishers: Results on the Full Whirlpool Compression Function
Rebound Distinguishers: Results on the Full Whirlpool Compression Function Mario Lamberger 1, Florian Mendel 1, Christian Rechberger 1, Vincent Rijmen 1,2,3, and Martin Schläffer 1 1 Institute for Applied
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationImproved Slide Attacks
Improved Slide Attacs Eli Biham 1 Orr Dunelman 2 Nathan Keller 3 1 Computer Science Department, Technion. Haifa 32000, Israel biham@cs.technion.ac.il 2 Katholiee Universiteit Leuven, Dept. of Electrical
More informationPreimages for Reduced SHA-0 and SHA-1
Preimages for Reduced SHA-0 and SHA-1 Christophe De Cannière 1,2 and Christian Rechberger 3 1 Département d Informatique École Normale Supérieure, christophe.decanniere@ens.fr 2 Katholieke Universiteit
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationCryptanalysis of MDC-2
Cryptanalysis of MDC-2 Lars R. Knudsen 1, Florian Mendel 2, Christian Rechberger 2, and Søren S. Thomsen 1 1 Department of Mathematics, Technical University of Denmark Matematiktorvet 303S, DK-2800 Kgs.
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationOptimal Covering Codes for Finding Near-Collisions
Optimal Covering Codes for Finding Near-Collisions Mario Lamberger 1 and Vincent Rijmen 1,2 1 Institute for Applied Information Processing and Communications Graz University of Technology, Inffeldgasse
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationImproved Collision Attacks on the Reduced-Round Grøstl Hash Function
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark
More informationPreimages for Reduced SHA-0 and SHA-1
Preimages for Reduced SHA-0 and SHA-1 Christophe De Cannière 1,2 and Christian Rechberger 3 1 Département d Informatique École Normale Supérieure christophe.decanniere@ens.fr 2 Katholieke Universiteit
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationImproved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl
Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Jian Zou, Wenling Wu, Shuang Wu, and Le Dong Institute of Software Chinese Academy of Sciences Beijing 100190, China
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More information2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.
or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationMD5 is Weaker than Weak: Attacks on Concatenated Combiners
MD5 is Weaker than Weak: Attacks on Concatenated Combiners Florian Mendel, Christian Rechberger, and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationImproved Collision Search for SHA-0
Improved Collision Search for SHA-0 Yusuke Naito 1, Yu Sasaki 1, Takeshi Shimoyama 2, Jun Yajima 2, Noboru Kunihiro 1, and Kazuo Ohta 1 1 The University of Electro-Communications, Japan {tolucky,yu339,kunihiro,ota}@ice.uec.ac.jp
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationImproved Collision and Preimage Resistance Bounds on PGV Schemes
Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department
More informationIntroduction to the Design and. Cryptanalysis of Cryptographic Hash Functions
Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions,
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationNear-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE
Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE Bozhan Su, Wenling Wu, Shuang Wu, Le Dong State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationNew Preimage Attacks Against Reduced SHA-1
New Preimage Attacks Against Reduced SHA-1 Simon Knellwolf 1 and Dmitry Khovratovich 2 1 ETH Zurich and FHNW, Switzerland 2 Microsoft Research Redmond, USA Abstract. This paper shows preimage attacks against
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1, Jérémy Jean 1, Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationA new Design Criteria for Hash-Functions
A new Design Criteria or Hash-Functions Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University o Luxembourg, coron@clipper.ens.r 2 New-York University, {dodis,puniya}@cs.nyu.edu
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1,Jérémy Jean 1(B),Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationIntroduction Description of MD5. Message Modification Generate Messages Summary
How to Break MD5 and other hash functions Xiaoyun Wang and Hongbo Yu (China) Presented by: Saar Benodiz May 2012 Outline Introduction Description of MD5 Differential Attack for Hash Functions Message Modification
More informationIntroduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography
Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret
More informationNew Collision attacks Against Up To 24-step SHA-2
New Collision attacks Against Up To 24-step SHA-2 Somitra Kumar Sanadhya and Palash Sarkar Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata, India 700108. somitra r@isical.ac.in,
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationDifferential and Rectangle Attacks on Reduced-Round SHACAL-1
Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationImproved Collision Attack on MD5
Improved Collision Attack on MD5 Yu Sasaki* Yusuke Naito* Noboru Kunihiro* Kazuo Ohta* *The University of Electro-Communications, Japan { yu339, tolucky } @ice.uec.ac.jp Abstract In EUROCRYPT2005, a collision
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SHA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationTurbo SHA-2. Danilo Gligoroski and Svein Johan Knapskog
SHA-2 Danilo Gligoroski and Svein Johan Knapskog Centre for Quantifiable Quality of Service in Communication Systems, Norwegian University of Science and Technology, O.S.Bragstads plass 2E, N-749 Trondheim,
More information