Improved Collision and Preimage Resistance Bounds on PGV Schemes
|
|
- Milo Stanley
- 5 years ago
- Views:
Transcription
1 Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department of Science, National University of Defense Technology, Changsha, China Abstract. Preneel, Govaerts, and Vandewalle[14](PGV) considered 64 most basic ways to construct a hash function from a block cipher, and regarded 1 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and uantitative treatment of those 64 constructions and proved that, in black-box model, the 1 schemes ( group 1 ) that PGV singled out as secure really are secure. By stepping outside of the Merkle-Damgård[4] approach to analysis, an additional 8 (group ) of the 64 schemes are just as collision resistant as the first group of schemes. Tight upper and lower bounds on collision resistance of those 0 schemes were given. In this paper, those collision resistance and preimage resistance bounds are improved, which shows that, in black box model, collision bounds of those 0 schemes are same. In Group 1 schemes, 8 out of 1 can find fixed point easily. Bounds on second preimage, multicollisions of Joux[6], fixed-point multicollisons[8] and combine of the two kinds multicollisions are also given. From those bound, Group 1 schemes can also be deviled into two group. Key Words: Hash Function, Block Cipher, M-D Construction 1 Introduction Most of hash functions iterated a compression function by Merkle-Damgård structure with constant [13]. Building hash function based on block cipher gone back to Rabin[15], wherein one makes the compression function out of a block cipher. This topic had been systematically analyzed in [3, 10, 11, 14]. Block cipher hash has been less widely used, for a variety of reasons. Black, Rogaway, and Shrimpton[3] given some fresh light on the block cipher based hash and taken a proof-centric look at the 64 block cipher based compression function iterated by Merkel-Damgård structure. First summary of those 64 schemes was presented by Preneel, Govaerts, and Vandewalle[14]. Recently, some new double length block cipher based hash functions have been recommend[7, 1]. PGV Paper PGV paper[14] considered turning a block cipher E : {0, 1} n
2 Lei Duo and Chao Li {0, 1} n {0, 1} n into a hash function H : ({0, 1} n ) {0, 1} n using a compression function F : {0, 1} n {0, 1} n {0, 1} n derived from E. PGV considered all 64 compression functions F of the form F (h, m i ) = E a (b) c, where a, b, c {h, m i, h m i, v}, in which v {0, 1} n is a constant. Of the 64 such schemes, the authors of [14] regarded 1 as secure. Another 13 schemes they classify as backward attackable. The remaining 39 schemes are subject to damaging attacks identified by [14] and others. BRS Paper BRS paper[3] taken a more proof-centric look at the schemes from PGV, proved additional 8 schemes were collision resistant, divided the 0 schemes into two group where the group 1 scheme, {H 1,..., H 1 }, was the 1 schemes picked by PGV and the group scheme, {H 13,..., H 0 }, was the new founded 8 schemes. For the new founded schemes, the hash function H immune to collision attack within the Merkle-Damgård paradigm, the compression functions were not immune to collision attack, the proves of collision resistant of group used the assumptions of E was a black box model and H with fix start model. They also gave both upper and lower bounds for each. Our PGV Results We reanalyze those 64 schemes, improve the upper and lower bounds that were given in BRS paper, using method based on graph theory, by which, hashing procedure is considered as directed graph drawing procedure and attacking method is considered path building method on directed graph. Tabel1 is contrast of bounds between BRS and ours. Table considers the second preimage bounds with plain padding and MD-strengthening padding. Table 1. Summary of results on collision and preimage resistance bounds including BRS and ours. The adversary asks at most uery. Message padding is plain padding. Collision Resistance Preimage Resistance Category UP Bound Low Bound UP Bound Low Bound BRS Our BRS Our BRS Our BRS Our Group-1: H [1..4] 0.039( 1)( 3) H [1..1] n (+1) (+1) (+1) n n n n+1 n 1 n 1 n 0.6 n n 1 3(+1) 0.3( 1) 9(+3) (+1) 0.15 (+1) n n n n n n+ 1 schemes H [5..1] 0.3( 1) Group-:H [13..0] Short DiCycle Multicollisions This attack is an attack similar to Multicollisions, if Multicollisions is regarded as attack using short undirected cycle to build collisions, then Short DiCycle Multicollisions is attack using short directed cycle to build collisions. This attack was first given by Kelsey and Schneier[8]. Summary of Short DiCycle multicollisions, Combine of Joux s and Kelsey s Multicollisions, that are contrast with Joux s Multicollisions are given in Tabel3.
3 Improved Collision and Preimage Resistance Bounds on PGV Schemes 3 Table. Summary of bounds on second preimage resistance. Adversary asks at most uery with plain padding(plainpd) and MD-strengthening padding(md-sp). t is the first message length. Second Preimage UP Low Attack PlainPD MD-SP PlainPD MD-SP H [1..4] H [5..1] H [13..0] (t+1) (t+1) n n 1 n+ n (t 1) (t 1) n n+ (+t+3) (+t) (+4t+3) (+t) n n n+ n+ Table 3. Summary of Short DiCycle multicollisions, Combine Multicollisions, that are contrast with Joux s Multicollisions. Message padding is MD-strengthening padding with time consuming(time), minimum message length(mml) and maximum collide numbers(mcn). Joux s Short Dicycle Combine Multicollisons Multicollisions Multicollisions Multicollisions Time MML MCN Time MML MCN Time MML MCN H [1..4] H [5..1] K n/ K K K n/ L + K S(L, K) a 3K n/ L+K K S(L, K) H [13..0] K n/ L + K S L(K) 3K n/ L+K K S(L, K) a S(L, K) = K il... i 3 (i i L =0 i L 1 =0 i + 1) =0 Notations and Definitions Let message block: m {0, 1} n, message: m = m 1... m i t =1{0, 1} n and instance of message: m i t =1{0, 1} n. If m, m {0, 1} n, then m m {0, 1} n and m = m = n. Let m (t) 1 = m 1... m 1, where m (t) 1 = t n. Let 0 be n bit 0. Let a hash function algorithm H : M Y with initial value, for any m M with H(m, ). Let Block cipher E : {0, 1} n {0, 1} n {0, 1} n using notation E(x, k) or E k (x), key k {0, 1} n. 64 Schemes We consider the schemes F (h, m i ) = E a (b) c, where a, b, c {h, m i, h m i, v}, in which block cipher E : {0, 1} n {0, 1} n {0, 1} n. has compression function F, in which is numbered as BRS[3]. Not loosing generally, we assume v = 0. Message Padding Take the L-bit input message m (L < n/ ) and append a 1 followed by 0 bits such that z is the smallest positive integer satisfying (L z n/ mod n) and, finally, append the binary representation of the length of the original message P(m). We call this padding method as MDstrengthening m 1 0 (z) P(m). The padding m 1 0 (z) is called plain padding, in which z is the smallest positive integer satisfying (L z 0 mod n). Ideal Cipher Model[16] A block cipher with the block length n and the
4 4 Lei Duo and Chao Li key length κ is called an (n, κ) block cipher. Let E : {0, 1} n {0, 1} κ {0, 1} n be an (n, κ) block cipher. Then, E(k, ) is a permutation for every k {0, 1} κ, and it is easy to compute both E(k, ) and E(k, ) 1. Let B n,κ be the set of all (n, κ) block ciphers. In the ideal cipher model, E is assumed to be randomly selected from B n,κ. The encryption E and the decryption E 1 are simulated by the following two oracles. The encryption oracle E first receives a pair of a key and a plaintext as a uery. Then, it returns a randomly selected ciphertext. On the other hand, the decryption oracle E 1 first receives a pair of a key and a ciphertext as a uery. Then, it returns a randomly selected plaintext. Adversary We consider a computationally unbounded adversary with access to either a E and E 1. The adversarys running time is determined by her number of E ueries. Our adversaries are probabilistic algorithms, and we concentrate on the expected running time. We will describe the running time asymptotically. Advantage on Collision We write x $ S for the experiment of choosing a random element from the finite set S and calling it x. An adversary is an algorithm with access to one or more oracles. We write these as superscripts. The adversary A with the oracle E, E 1 is a collision-finding algorithm of H. The advantage of A finding collisions in H is: Adv coll H (A) = P r[e $ B n,κ ; (m, m ) $ A E,E 1 : m m H(m) = H(m )]. Advantage on Preimage The advantage of A finding preimage in H is: (A) = P r[e $ B n,κ ; $ {0, 1} n ; m A E,E 1 () : = H(m)]. Advantage on Second Preimage The advantage of A finding second preimage in H is: H sp re Adv H (A) = P r[e $ B n,κ ; m $ {0, 1} n ; m A E,E 1 (m) : H(m) = H(m )]. For > 1 let AdvH attack () = max A {Advattack H (A)}, where A makes at most ueries to E, E 1 in total, attack {coll, pre, sp re}. Simulating a Ideal Cipher Oracle[3] An adversary A access to a simulate ideal cipher oracle for E and E 1, which is defined as follows: Algorithm SimulateOracles(A, n) Initially, i 0 and E k (x) = undefined for all (x, k) {0, 1} n {0, 1} n Run A?,?, answering oracle ueries as follows: When A asks a uery (x, k) to its left oracle: $ i i + 1; k i k; x i x; y i Range(Ek ); E k (x) y i; return y i to A When A asks a uery (k, y) to its right oracle: $ i i + 1; k i k; y i y; x i Domain(Ek ); E k (x i) y; return x i to A When A halts, outputting a string out: return ((x 1, k 1, y 1),..., (x i, k i, y i), out) Fig. 1. Domain(E k ) is the set of points x where E k (x) is no longer undefined and Domain(E k ) = {0, 1} n Domain(E k ). Range(E k ) is the set of points where E k (x) is no longer undefined and Range(E k ) = {0, 1} n Range(E k ).
5 Improved Collision and Preimage Resistance Bounds on PGV Schemes 5 Merkle-Damgård Graph Let H : ({0, 1} κ ) {0, 1} n be a Merkel Damagård construction hash function with compression function F : {0, 1} n {0, 1} κ {0, 1} n and initial value. Let Merkle-Damgård Graph be a directed graph G = (VG, E G ). If h = F (h, e), then h and h are in vertex set V G {0, 1} n and (h, e, h ) or h e h, an arc begin from h point at h, is in edge set E G = {(h, e, h )} {0, 1} n {0, 1} κ {0, 1} n. Graph Drawing Attack Let A?,? be an adversary attacking. We analyze the behavior of A when its left oracle is instantiated by E $ B n,n and its right oracle is instantiated by E 1. Assume that A asks its oracles at most total ueries. A runs the algorithm SimulateOracle(A, n) and draws a directed graph G H. When A asks an E uery(x, k) and this returns a value y, or when A asks an E 1 uery of (k, y) and this returns x. Then A adds vertexes f 1 (x, k, y), f 3 (x, k, y) and an arc (f 1 (x, k, y), f (x, k, y), f 3 (x, k, y)) to G H. Time consuming of graph drawing procedure is neglected. For h i = F (h, m i ), the relations f 1 = f = f 3 = h i = f 1 = f = f 3 = h i = 1 k x y x E h (m i) m i 13 x k x y E wi (m i) k x k y x E h (w i) w i 14 x k x y k E wi (m i) w i 3 k x y x k E h (m i) w i 15 x k y E mi (h ) 4 k x k y x k E h (w i) m i 16 x x k y E wi (h ) 5 x k y x E mi (h ) h 17 x k y k E mi (h ) m i 6 x k k y x E mi (w i) w i 18 x x k y k E wi (h ) w i 7 x k y x k E mi (h ) w i 19 x k k y E mi (w i) 8 x k k y x k E mi (w i) h 0 x k k y k E mi (w i) m i 9 x k x y x E wi (m i) m i 1 k x y k E h (m i) h 10 x x k y x E wi (h ) h k x k y k E h (w i) h 11 x k x y x k E wi (m i) h 3 k x y E h (m i) 1 x x k y x k E wi (h ) m i 4 k x k y E h (w i) Fig.. Rules for the functions of building vertexes and arc, in which the adversary gets uery (x, k, y) then computes the value f 1 := f 1(x, k, y), f := f (x, k, y) and f 3 := f 3(x, k, y). w i := h m i. The first and sixth columns are the number of those Group 1[1..1] and Group [13..0] and additional 4 schemes numbered [1..4]. among h i, m i, h and f 1, f, f 3 are that: h = f 1 (x, k, y), m i = f (x, k, y) and h i = f 3 (x, k, y), or saying f 3 (x, k, y) = F i (f 1 (x, k, y), f (x, k, y)). Relation among f 1 (x, k, y), f (x, k, y), f 3 (x, k, y) of those 0 schemes are in Fig. Combine of running SimulateOracle(A, n) and Graph drawing procedure is showing in Fig3, named GraphDrawing(A, n). Let G H be G H after -th uery, G H begin with G 0 H. Let H be connected subgraph of G H, C be directed cycle or loop in G H, C be undirected cycle or loop in G H ( on assuming the arc is undirected), and P be directed directed Path in G H.
6 6 Lei Duo and Chao Li In different attack, A uses following methods: A selects different G 0 H ; A defines different event as success event; In i-th uery, A adds restriction on selection of (x i, k i ) for E uery, or on selection of (y i, k i )for E 1 uery. GraphDrawing(A, n) Initially, i 0 and E k (x) = undefined for all (x, k) {0, 1} n {0, 1} n, G H = G 0 H. Run A?,?, answering oracle ueries as follows: When A asks a uery (x $ {0, 1} n, k $ {0, 1} n ) to its left oracle: i i + 1; k i k; x i x; y i $ Range(Ek ); E k (x) y i; return y i to A; When A asks a uery (y $ {0, 1} n, k $ {0, 1} n ) to its right oracle: $ i i + 1; k i k; y i y; x i Domain(Ek ); E k (x i) y; return x i to A; V G {f 1(x i, k i, y i), f 3(x i, k i, y i)}; H V G i H E G i H E G H {(f 1(x i, k i, y i), f (x i, k i, y i), f 3(x i, k i, y i))}; When A halts, outputting a string and Graph G i H: return ((x 1, k 1, y 1),..., (x i, k i, y i), G i H). Fig. 3. Adversary A executes its (simulated) oracle to form a directed graph G H build attack on, where G H : V GH {0, 1} n ; E GH {0, 1} n {0, 1} n {0, 1} n. to Conventions We assume the adversary does not ask any oracle uery in which the response is already known; namely, if A asks a uery E k (x) and this return y, then A does not ask a subseuent uery of E k (x) or E 1 k (y); and if A asks E 1 k (y) and this return x, then A does not ask a subseuent uery of E 1 k (y) or E k(x). We also assume a successful adversary always outputs one or more messages m i, which either collide or (nd)preimages. Before finishing, the adversary asks all the oracles calls to compute all hash values H(m i, ). In E uery(x, k), f 1 (x, k, y) and f (x, k, y) are not influenced the return value y, so before asking E uery, we use notation? to represent the unknown y; namely, when x and k is known, f 1 (x, k, y) is known, then, before getting E uery(x, k), we use f 1 (x, k,?) to represent this value. And before getting E 1 uery(k, y), we use notation? to represent some unknown x. 3 Collision Resistance of PGV Schemes BRS paper analyzed the group 1 schemes using the Merkle-Damgård paradigm, for their compression functions are collision resistant. Group schemes were analyzed by graph theory. We use Merkel-Damagård drawing method to analyze those schemes, by which preimage, second preimage or collision finding attack is converted to special path finding algorithm. Theorem1 and Theorem based on the fact that, adversary A runs algorithm GraphDrawing(A, n) with G 0 =
7 Improved Collision and Preimage Resistance Bounds on PGV Schemes 7 { }, if A gets connect subgraph H G H with a cycle or loop C in it and vertex in it, then he formes a collision attack on. h m 1 0 Collision on H is that two directed paths m P = h 1 m 0... l hl and P =... m l h l have same start h 0 = h 0 and same end h l = h l, or P P builds a connect graph, a cycle or loop and on it. However this way of collision does not consider the message padding. If H uses MD strengthening padding, then the length of P and P should be eual or the message lengths are included in m l and m l. The proofs of Theorem is on condition of plain padding, that is also holden in MD strengthening padding, by restricting f 1 (x i, k i,?) = or including message length in f (x i, k i,?). Theorem 1. Fix n 1, message padding is plain padding, Group 1 Scheme: AdvH coll (A) ( + 1)/ n for any 1 and [1..1]. Group Scheme: AdvH coll (A) ( + 1)/ n for any 1 and [13..0]. Group 3 Scheme: AdvH coll (A) = 1 for any and [1..64]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with 0 G = { }. Let E be the event that, as a result of the adversary s ueries, there be a connected subgraph H G H, which has a Cycle or loop C and vertex. Let assume { } be a connected graph. Let E i be the event that E occurs by the i-th uery. Define E 0 be the null event. Then Pr[E] = i=1 Pr[E i E... E 0 ]. We have AdvH coll (A) Pr[E]. Claim AdvH coll (A) Pr[E]. Meaning collision on at least is a connected subgraph H G H, H has a cycle or loop C and vertex. A outputs colliding message m = m 1... m l and m = m 1... m l ; that is H i(m, ) = H i (m, ). In path m P = h 1 0 m 1 m m h m 1... l hl and P = h 0 h 1... m l h l, we have h 0 = h 0, h l = h l and P P. Then there exists at least one cycle or loop in P P and P P. P P is a connect subgraph. Claim Let H be connect subgraph in G H and in each H, a cycle or a loop C H or H. Let H G H, H be union of all such connected subgraphs in G H. Then V H + 1. If H is a connect subgraph, then V H E H + 1. If a cycle or loop C H, then V H E H. Since V H = V H E H + 1 E G + 1 = + 1, we have V H + 1. H Claim Let V er H (f (x, k, y)) i be event that f (x i, k i, y i ) H. Then P r[e i E... E 0 ] Pr[V er H (f 1) i V er H (f 3) i ]. Let E occurs in i-th uery. Then there exists a connected subgraph H with H and a cycle or loop C in H and H G i H. We will give proof of H (f 1, f, f 3 ) H. If that is true, then f 1, f 3 H. Firstly, if (f 1, f, f 3 ) is in cycle C, then H (f 1, f, f 3 ) is connected graph and H. Secondly, if (f 1, f, f 3 ) is not in cycle C, then at most two connected graph in
8 8 Lei Duo and Chao Li H (f 1, f, f 3 ) denoted H 1 and H. Since H, we have H 1 H. Let assume H 1. If there is a cycle in H 1, then that is conflict with collision occur in i-th uery. Since (f 1, f, f 3 ) / C, then there is a circle in H. We have H 1 H H, that implies f 1, f 3 H. Claim Pr[E] (+1), [1..1]. n Given E... E 0, the event E i occurs at least in case that, the return vertex of i-th uery has been exist in vertexes set H. Pr[V er H (f 1) i V er H (f 3) i ] Pr[V er H (f 3) i V er H (f 1) i ]. If E i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at least n (i 1). Then f 3 (x i, k i, y i ) is a random value from a set of size at least n (i 1). We also have V H i. So, i n (). Pr[E i E... E 0 ] Alternatively, let E i occur via an E 1 uery(y i, k i ). For schemes [1..4], A can select f 1 (x i, k i, y i ) H directly, that success probability is same as asking E-uery. For schemes [5..1], f 1 (x i, k i, y i ) is a random value from a set of size at least n (i 1). Then Claim Pr[V er H (f 1) i V er H (f 3) i ] = Pr[V er H (f 1) i V er H (f 3) i ]Pr[V er H (f 3) i ] We have Pr[E] i=1 Pr[E i E... E 0 ] i=1 Pr[E] (+1) n, [13..0]. i n () (+1). n If E i occurs via an E uery(x i, k i ), then that probability is same as gruop1. Alternatively, if E i occurs via an E 1 uery(y i, k i ), then f 1 (x i, k i, y i ) is a random value from a set of size at least n (i 1). So, Pr[V er H (f 1) i V er H (f 3) i ] Pr[V er H We can select vertex f 3 (x i, k i, y i ) in H Pr[E] i=0 Pr[E i E... E 0 ] i=1 Claim Pr[E] = 1, [1..64]. (f 1) i V er H (f 3) i ]. We have, i n () (+1). n Pr[E i E... E 0 ] Pr[V er H (f 1) i V er H (f 3) i ] In th uery, we can directly select f 1 (x i, k i, y i ), f 3 (x i, k i, y i ) V H 1. So we have Pr[E] = 1,. Theorem. Fix n 1, message padding is plain padding, Group 1 Scheme Group Scheme Adv coll Adv coll (A) ( + 1)/ n+1 for any 1 and [1..1]. (A) ( + 1)/ n+1 for any 1 and [13..0]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = { }. Let A only ask E uery(x, k). In each uery, A selects x and k to satisfy f 1 (x, k,?) V GH. Then G H is connected graph and G H, that is G i = H. i Let C be the event of G H and there exists a cycle or loop in C. Let C i be the event that C occurs by the i-th uery. Define C 0 be the null event. Then Pr[C] = i=1 Pr[C i C... C 0 ]. We have Adv coll (A) Pr[C].
9 Improved Collision and Preimage Resistance Bounds on PGV Schemes 9 Claim AdvH coll (A) Pr[C]. If adversary A build a cycle or loop C in i-th uery. Then there are two directed path P and P in G i with P = h 0 h 1... h l, P = h 0 h 1... h l, in which h l = h l = f 3(x i, k i, y i ) and P P. Claim P r[c i C... C 0 ] Pr[V er G (f 3 ) i ]. H If f 3 (x i, k i, y i ) G, then E(G i ) = V (G i ). There must exist a cycle or loop in G H. Claim AdvH coll (A) ( + 1)/ n+1 for any 1 and [1..0]. Given C... C 0, the event C i occurs in case that, the return vertex of i-th uery has been exist in vertexes set G. If E i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at most n. Then f 3 (x i, k i, y i ) is a random value from a set of size at most n. So, Pr[C] i=1 Pr[C i C... C 0 ] i=1 i = (+1) n. n+1 Theorem 3. Fix n 1, message padding is MD strengthening padding, for any 1 and [1..0]. ( 1)/ n Adv coll (A) ( 1)/ n+1 4 Preimage Resistance of PGV Schemes The proofs of Theorem 4 and Theorem 5 follow the fact that, a preimage is a directed path from to in graph G H. If adversary A finds a directed path from to, then he builds a preimage. The bounds on preimage attack not consider the MD-strengthening padding, if the padding is considered, the bounds are same. Because message length can be added in f (x i, k i, y i ), before asking i-th uery. Theorem 4. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme Others Scheme (A) / n 1 for any 1 and [1..1]. (A) ( + 1)/ n for any 1 and [13..0]. (A) = 1 for any 1 and [1..64]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = {, }. Preimage finding is not finding a cycle or loop, it is finding a path. Let assume { } and {} be connected subgraphs. Let E be the event that, as a result of the adversary s ueries, there are formed a directed path P in G H, P and P. Let E i be the event that E occurs by the i-th uery. Define E 0 be the null event. Then Pr[E] = i=1 Pr[E i E... E 0 ]. We have (A) Pr[E]. Claim (A) Pr[E]. Implying preimage on H at least is a path P G H, in which P and P.
10 10 Lei Duo and Chao Li Claim Let Arc (f 3 (x, k, y)) be event that f 3 (x, k, y) =. Then P r[e] Pr[Arc (f 3 (x, k, y))]. That implies at least a directed arc point at. Claim Let H a be connect subgraph in G H with a H a, in which a {, }. Let Ha be the connect graph after -th uery. Then V H Claim P r[e i E... E 0 ] Pr[V er H Claim Pr[E], [1..1]. n 1 Claim Pr[E] (+1), [13..0]. n Claim Pr[E] = 1, [1..64]. For given and, we have P r[v er H Detail is in Appendix A. (f 1 ) i V er H +. H (f 3 ) i ]. (f 1 ) i V er H (f 3 ) i ] = 1. Theorem 5. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme (A) / n for any 1 and [1..1]. (A) ( + 1)/ n+ for any 1 and [13..0]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = {, }. Claim AdvH coll (A) / n for any 1 and [1..1]. A only asks E uery(x, k) with x i and k i satisfing f 1 (x i, k i,?) H. Let C be the event of H and at least a edge in H. AdvH coll Claim Adv coll (A) Pr[C] i=1 Pr[V er H (f 3 ) i ] i=1 1 n = n. (A) ( + 1)/ n+ for any 1 and [13..0]. A asks E uery(x, k) and E 1 uery(y, k), alternately. In odd-th uery, A selects x and k satisfying f 1 (x, k,?) H, in even-th uery, A selects y and k satisfing f 3 (?, k, y) H. Let C be the event of H and at least a edge in H. If C occurs in E uery, then AdvH coll (A) Pr[C] Pr[V er H (f 3 ) i ] i/ +1 i=1. If C occurs in E 1 uery, then n Adv coll (A) Pr[C] Pr[V er H Detail is in Appendix A. (f 1 ) i ] i=1 i/ +1 n. 5 Second Preimage Resistance of PGV Schemes Second preimage bounds on with plain-padding and MD-strengthening are different, for the success events of those two attacks are different. Let the given message build a path P. Second preimage attack with plain padding is also a direct path P finding attack, for which the target is all vertexes in path P. Theorem 6. Fix n > 1, 1, let H(m, ) =, m = m 1... m t, message padding is plain padding,
11 Improved Collision and Preimage Resistance Bounds on PGV Schemes 11 Group 1 Scheme: (t+1) sp re Adv n (A) (t+1) for [1..1]. n 1 Group Scheme: (4t++3) sp re Adv n+ (A) (t++3) for [13..0]. n Proof. This proof is followed the proofs of Theorem 4 and Theorem 5. Let A?,? be an adversary attacking. Let m = m 1... m t, σ := H(m, ), m = m 1..., m, t. Let σ 0 :=. A runs GraphDrawing(A, n) with G 0 := {σ 0 t}. A follows graph drawing method of Theorem 4 and Theorem 5. UP Bound of Group 1 In -uery Pr[Arc σ (f 3 )], we have n 1 sp re Adv () t =0 Pr[Arc σ (f 3 )] (t+1). In i-th uery Pr[V er n 1 H (f σ 3 ) i ] t t+1 sp re. We have, Adv n () i=1 Pr[V er H (f σ 3 ) i ] (t+1) t. n UP Bound of Group Since Pr[V er H (f σ 3 ) i V er t H (f 1 ) i ] i+t+1 n (). sp re Adv () i+t+1 i=0 n () (+t+3). In i-th uery, Pr[V er n H (f σ 3 ) i ] t i +t+1 sp re. We have, Adv n () i=1 Pr[V er H (f 3 ) i ] (4t++3). n+ Theorem 7 is based on the facts that, if the message length is considered, in each uery, the target image set is not set {σ, 0 t}, is a vertex in it. Then the bound will become same as preimage attack. However, in schemes [5..0], A can build a short direct cycle or loop C, in this way, the length of second message can be controlled by A. Let L = C. The target image set becomes {σ L t/l }. C can found by precomputation with complexity of O( n/ ), which can be used in any second preimage attack, that was not included in complexity bounds of finding second preimage. Theorem 7. Fix n > 1, 1, let H(m, ) =, m = m 1... m t, message padding is MD strengthening padding, sp re Schemes [1..4] Adv n (A). n 1 (t 1) sp re Schemes [5..1] Adv n (A) (t 1). n 1 (+1) sp re Schemes [13..0] Adv n+ (A) (+1). n Proof. This proof is followed the proofs of Theorem 6 and Theorem 7. Let A?,? be an adversary attacking. Let σ := H(m, ), m = m 1..., m, t. Schemes [1..4] For M D-strengthening, when message length is included in f (x i, k i, y i ), the success event is Arcσ, not V er Hσ. Schemes [5..1] Before attacking, [5..1], A find message blocks m 1 and m with (m 1 m (i), ) = (m 1 m (j), ), i, j > 0, detail is given in next section, called expandable fixed point. Let = (m 1, ). Let G 0 H := {σ, }. We have (t 1) sp re Adv n (A) (t 1). n 1 Schemes [13..0] Before attacking, [13..0], A find message blocks m 1 and m with ((m 1 m ) (i), ) = ((m 1 m ) (j), ), i, j > 0, detail is given in next section. Let G 0 H := {σ t}. We have (+t) n+ sp re Adv (A) (+t). n σ
12 1 Lei Duo and Chao Li 6 Multicollisions on PGV Schemes Multicollisions Multicollisions attack is first given by Joux[6], which is a way to produce a large number of messages that collide for an iterated hash function, with only a little more work than is needed to find a single pair of messages that collide. More precisely, using t collision H(B 1... B l, ) = H(B 1... B l, ), where B i B i and l = 1,..., t, we can build t -collisions in H. The time consuming is t O( n/ ). The collide block finding procedure is illustrated as Algorithm CollisionBlock(A, h, t): CollisionBlock(A, h, t) For i := 1 to A selects x i, k i with f 1 (x i, k i,?) = h, then asks E uery(x i, k i ). A success with f 3 (x i, k i, y i ) = f 3 (x j, k j, y j ), return m t f (x i, k i, y i ); m t f (x j, k j, y j ); h t f 3 (x i, k i, y i ); Fixed-Point Expandable Message A fixed point is a pair (h, m i ) such that h = F (h, m i ). Compression functions based on Davies-Meyer construction, such as the SHA family, MD4, MD5 and Tiger, have easily found fixed points. Kelesy and Schneier[8] gave a second preimage attack based on Fixed-Point expandable message. We call it expandable short dicycle in this paper, for, in schemes [13..0], fixed-point expandable message is not easy to be found, but a similar expandable short directed cycle as expandable fixed point can be found and attacks based on them. Expandable Short DiCycle Expandable Short dicycle reuires a short directed cycle or loop being build with desired prefix. Let A?,? be an adversary attacking. A runs algorithm GraphDrawing(A, n). The expandable short dicycle found algorithm is as follows: ExpandableDiCycle(A, h, t, ) For i := 1 to n/ A selects (x i, k i ) with f 1 (x i, k i,?) = h asks E uery(x i, k i ). For i := 1 to n/ If {5, 8, 10, 11} Then A selects (y i, k i ) with y i = 0 asks E 1 uery(y i, k i ). If {6, 7, 9, 1} Then A selects (y i, k i ) with y i = k i asks E 1 uery(y i, k i ). If [13..0] Then A selects (y i, k i ) with f 3(?, k i, y i ) = h asks E 1 uery(y i, k i ). A success with f 3 (x i, k i, y i ) = f 1 (x j, k j, y j ), return m t f (x i, k i, y i ); m tt f (x j, k j, y j ); h t f 3 (x i, k i, y i ); Short DiCycle Multicollisions Short DiCycle Multicollisions attack is first given in[8], which is a way to produce a large number of messages that collide for an iterated hash function, with only a little more work than is needed to find a single pair of expandable short dicyle. More precisely, using t short dicycle, we
13 Improved Collision and Preimage Resistance Bounds on PGV Schemes 13 can build multicollisions in. The time consuming is t O( n/ ). (m 1 m (k1) m t m (kt) tt ) = (m 1 m (k 1 ) m t m (k t ) tt ), [5..1] With t i=1 k i = t i=1 k i. Let l := t i=1 k i. Then adversary takes t n/ times finding S l (t), l + t length multicollisions, where S l (t) = t i l =0 S l 1(i l ). S l (t) = t S l 1 (i l ) = i l =0 t i l i l =0 i l 1 =0 S l (i l 1 ) = t i l i l =0 i l 1 =0... i 3 i =0 S (i ). Where S (i) = i + 1. For schemes [13..0], the minimum message length is l + t with t n/ complexity and S l (t) collisions. Combine Multicollisions Let A?,? be an adversary attacking. A runs algorithm GraphDrawing(A, n) building multicollision, where original multicollisions and short Dicycle multicollisions are combined. (m 1 m (k1) 11 m m 3 m (k) m t 1 m (kt) t 1t 1 m t) = (m 1 m (k 1 ) 11 m m 3 m (k ) m t 1 m (k t ) t 1t 1 m t), [5..1] With t i=1 k i = t i=1 k i. Let l := t i=1 k i.then adversary takes O(3t n/ ) times E uery to get O( t (t + 1) l 1 ), t + l length multicollisions, where l t h Schemes[5..1] n/+i h h CollisionBlock(A,h) 1 Schemes[13..0] 3 Joux's Multicollisions 4 DiCycle Multicollisons 5 DiCycle Multicollisons 6 f (x i,k i,y i ) f 1 (x i,k i,y i ) f 3 (x i,k i,y i ) Combine Multicollisions 7 Graph Example 8 Fig. 4. Directed Cycle finding algorithms of schemes [5..1] and [13..0] are illustrated in subgraph 1 and. Undirected Cycle(Multicollision block) finding algorithm is given in subgraph 3. Joux s Multicollisions, Kelsey s Multicollisions on schemes [5..1] and [13..0] and combine of those two Multicollisions are presented in subgraph 4, 5, 6, 7, respectively.
14 14 Lei Duo and Chao Li 7 Conclusions In this paper, we give the bounds on PGV schemes against preimage, second preimage, collision and multicollisions, and that are improved by graph drawing method and short cycle build method. We omit the bounds of some new attacks including second preimage attack based on other expandable message[8] and preimage attack based on herding attack[9], for those bounds can be precise by similar way as second preimage attack. From the bounds, schemes [1..4] seems better than schemes [5..0], but more analysis is reuired. References 1. E.Biham and R.Chen. Near-Collisions of SHA-0 and SHA-1. In Selected Areas in Cryptography-SAC E.Biham and R.Chen. Near-Collisions of SHA-0,In Advances in Cryptology CRYPTO 004, LNCS 315,pp90-305, J.Black, P.Rogaway, and T.Shrimpton, Black-box analysis of the block-cipherbased hashfunction constructions from PGV. In Advances in Cryptology - CRYPTO 0, volume 44 of Lecture Notes in Computer Science. Springer-Verlag, 00.pp I.Damgård. A design principle for hash functions. In G. Brassard, editor, Advances in Cryptology-CRYPTO 89, volume 435 of Lecture Notes in Computer Science. Springer-Verlag, J.Daemen and V.Rijmen: The Design of Rijndael: AES The Advanced Encryption Standard. Springer, A.Joux. Multicollisions in iterated hash functions, application to cascaded constructions. Crypto 04, LNCS 315, 306C S. Hirose. Some plausible constructions of double-block-length hash functions. In Preproceedings of the 13th Fast Software Encryption Workshop (FSE 006), pp , J. Kelsey and B. Schneier. Second preimages on n-bit hash functions for much less than n work. In R. Cramer, editor, EUROCRYPT 005, LNCS 3494, pp , John Kelsey, Tadayoshi Kohno. Herding Hash Functions and the Nostradamus Attack. In S. Vaudenay, editor, EUROCRYPT 006, LNCS 4004, pp , X.Lai and J.L.Massey: Hash functions based on block ciphers. In Advances in Cryptology Eurocrypt 9, Lecture Notes in Computer Science, Vol Springer- Verlag, Berlin Hei-delberg New York (1993) C. H. Meyer and S. M. Matyas. Cryptography: a New Dimension in Data Security. Wiley & Sons, M. Nandi, W. Lee, K. Sakurai, and S. Lee. Security analysis of a /3-rate double length compression function in the black-box model. In Proceedings of the 1th Fast Software Encryption (FSE 005), LNCS 35571, pp , B.Preneel, V. Rijmen, A.Bosselaers: Recent Developments in the Design of Conventional Cryptographic Algorithms. In State of the Art and Evolution of Computer Security and Industrial Cryptography. Lecture Notes in Computer Science, Vol 158. Springer-Verlag, Berlin Heidelberg New York(1998)
15 Improved Collision and Preimage Resistance Bounds on PGV Schemes B. Preneel, R. Govaerts, and J. Vandewalle, Hash functions based on block ciphers,, In Advances in Cryptology -CRYPTO 93, Lecture Notes in Computer Science,pages Springer-Verlag, M. O. Rabin. Digitalized Signatures. In R. A. Demillo, D. P. Dopkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages , New York, Academic Press. 16. C.E. Shannon. Communication theory of secrecy systems,, Bell System Technical Journal, 8:656C715, X.Wang, H.Yu, How to Break MD5 and Other Hash Functions, EURO- CRYPT 005, Springer-Verlag, LNCS 3494, pp19-35, X. Wang, X. Lai, D.Feng and H.Yu., Cryptanalysis of the Hash Functions MD4 and RIPEMD, EUROCRYPT 005, Springer-Verlag,LNCS 3494, pp1-18, 005. A Bounds on Preimage The following theorem is proof of Theorem4. Theorem 8. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme Others Scheme (A) / n 1 for any 1 and [1..1]. (A) ( + 1)/ n for any 1 and [13..0]. (A) = 1 for any 1 and [1..64]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = {, }. Preimage finding is not finding a cycle or loop, it is finding a path. Let assume { } and {} be connected subgraphs. Let E be the event that, as a result of the adversary s ueries, there are formed a directed path P in G H, P and P. Let E i be the event that E occurs by the i-th uery. Define E 0 be the null event. Then Pr[E] = i=1 Pr[E i E... E 0 ]. We have (A) Pr[E]. Claim (A) Pr[E]. Implying preimage on H at least is a path P G H, in which P and P. Adversary A find message m = m 1... m l with H(m, ) =. m Then we build path P = h 1 m 0 m h1... l we have h0 =, h l =. Then there exists at least one path P, in which P and P. Claim Let Arc (f 3 (x, k, y)) be event that f 3 (x, k, y) =. Then P r[e] Pr[Arc (f 3 (x, k, y))]. That implies at least a directed arc point at. Claim Let H a be connect subgraph in G H with a H a, in which a {, }. Let Ha be the connect graph after -th uery. Then V H +. H Claim P r[e i E... E 0 ] Pr[V er H (f 1 ) i V er H (f 3 ) i ]. If E occurs in i-th uery, then there exists a Path P with, P and P G i H. We will give proof of P (f 1, f, f 3 ) H H. If that is true, then f 1 H and f 3 H. Since (f 1, f, f 3 ) is in path P, two connected graph in P (f 1, f, f 3 ) denoted H 1 and H. Since P, we have H 1 H. Let H 1. If in H 1, then that is conflict with path occur in i-th uery. We have f 1 H and f 3 H.
16 16 Lei Duo and Chao Li Claim Pr[E] n 1, [1..1]. If Arc (f 3 (x, k, y)) occurs via an E uery(x, k), then y is a random value from a set of size at least n (i 1). Then f 3 (x i, k i, y i ) is a random value from a set of size at least n (i 1). Let the A try time, then Pr[Arc (f 3 )] n (i 1). Alternatively, if E i occurs via an E 1 uery(y, k), then f 3 (x i, k i, y i ) is still a random value from a set of size at least n (i 1). Then Pr[E] Pr[Arc (f 3 )] n (i 1) n 1. Claim Pr[E] (+1), [13..0]. n Given E... E 0, the event E i occurs in case that, the return vertex of i-th uery has been exist in vertexes set H and H Pr[V er H (f 1 ) i V er H (f 3 ) i ] Pr[V er H. (f 3 ) i V er H (f 1 ) i ]. If E i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at least n (i 1). Then f 3 (x i, k i, y i ) is a random value from a set of size at least n (i 1). We also have V H i. So, Pr[E i E... E 0 ] i n (i 1). Alternatively, if E i occurs via an E 1 uery(y i, k i ), then f 1 (x i, k i, y i ) is a random value from a set of size at least n (i 1). Then Pr[V er H (f 1 ) V er H (f 3 ) i ] = Pr[V er H Pr[E i E... E 0 ] We have Pr[E] i i=1 n () (+1). n Claim Pr[E] = 1, [1..64]. For given and, we have P r[v er H The following theorem is proof of Theorem5. i n (i 1). (f 1 ) i V er H (f 3 ) i ] (f 1 ) i V er H (f 3 ) i ] = 1. Theorem 9. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme (A) / n for any 1 and [1..1]. (A) ( + 1)/ n+ for any 1 and [13..0]. Proof. Let A?,? be an adversary attacking.
17 Improved Collision and Preimage Resistance Bounds on PGV Schemes 17 Claim AdvH coll (A) / n for any 1 and [1..1]. Followed the attack on Theorem 4, let adversary A only ask E uery(x, k). In each uery, select x i and k i to satisfy f 1 (x i, k i,?) H. Let C be the event of H and at least a edge in H. Let C i be the event that C occurs by the i-th uery. Define C 0 be the null event. Then Pr[C] = i=1 Pr[C i C... C 0 ]. We have AdvH coll (A) Pr[C]. If adversary A builds a connected Graph H with H, then there is a path P from to. If C i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at most n. Then f 3 (x i, k i, y i ) is a random value from a set of size at most n. So, Pr[V er H (f 1 ) i V er H (f 3 ) i ] Pr[V er H (f 3 ) i ] 1 n Pr[C i C... E 0 ] 1 n. We have Pr[E] i=1 1 = n. n Claim AdvH coll (A) ( + 1)/ n+ for any 1 and [13..0]. In the proof of Theorem3, let adversary A ask E uery(x, k) and E 1 uery(y, k), alternately. In odd-th uery, select x and k to satisfy f 1 (x, k,?) H, in even-th uery, select y and k to satisfy f 3 (?, k, y) H. Let C be the event of H and at least a edge in H. Let C i be the event that C occurs by the i-th uery. Define C 0 be the null event. Then Pr[C] = i=1 Pr[C i C... C 0 ]. We have AdvH coll (A) Pr[C]. If adversary A build a connected Graph H with H, then there is a path P from to. Given C... C 0, the event C i occurs in case that, the return vertex of i-th uery f 3 (x i, k i, y i ) has been exist in vertexes set V H. If C i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at most n. Then f 3 (x i, k i, y i ) is a random value from a set of size at most n. So, Pr[V er H (f 1 ) i V er H (f 3 ) i ] Pr[V er H (f 3 ) i ] Pr[C i C... E 0 ] i/ + 1 n. If C i occurs via an E 1 uery(y i, k i ), then x i is a random value from a set of size at most n. Then Pr[C i C... E 0 ] i/ + 1 n. We have Pr[E] i i=1 = (+1) n+1. n+
Cryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationBlack-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV J. Black P. Rogaway T. Shrimpton May 31, 2002 Abstract Preneel, Govaerts, and Vandewalle [7] considered the 64 most basic
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationThe Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationMartin Cochran. August 24, 2008
Notes on the Wang et al. 2 63 SHA-1 Differential Path Martin Cochran August 24, 2008 Abstract Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a2 63 attack by Wang
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationA (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationCryptanalysis of MDC-2
Cryptanalysis of MDC-2 Lars R. Knudsen 1, Florian Mendel 2, Christian Rechberger 2, and Søren S. Thomsen 1 1 Department of Mathematics, Technical University of Denmark Matematiktorvet 303S, DK-2800 Kgs.
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationFurther progress in hashing cryptanalysis
Further progress in hashing cryptanalysis Arjen K. Lenstra Lucent Technologies, Bell Laboratories February 26, 2005 Abstract Until further notice all new designs should use SHA-256. Existing systems using
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationImproved indifferentiability security analysis of chopmd Hash Function
Improved indifferentiability security analysis of chopmd Hash Function Donghoon Chang 1 and Mridul Nandi 2 1 Center for Information Security Technologies (CIST) Korea University, Seoul, Korea dhchang@cist.korea.ac.kr
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationProvable Chosen-Target-Forced-Midfix Preimage Resistance
Provable Chosen-Target-Forced-Midfix Preimage Resistance Elena Andreeva and Bart Mennink Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva, bart.mennink}@esat.kuleuven.be
More informationSecond Preimage Attacks on Dithered Hash Functions
Second Preimage Attacks on Dithered Hash Functions Charles Bouillaguet 1, Pierre-Alain Fouque 1, Adi Shamir 1,2, and Sebastien Zimmer 1 1 École normale supérieure Département d Informatique 45, rue d Ulm
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationHash Function Balance and its Impact on Birthday Attacks
Hash Function Balance and its Impact on Birthday Attacks Mihir Bellare 1 and Tadayoshi Kohno 1 Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive, La Jolla,
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationBuilding a Collision-Resistant Compression Function from Non-Compressing Primitives
Building a Collision-Resistant Compression Function from Non-Compressing Primitives Thomas Shrimpton 1 and Martijn Stam 2 1 University of Lugano and Portland State University thomas.shrimpton@unisi.ch
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationA Failure-Friendly Design Principle for Hash Functions
A Failure-Friendly Design Principle for Hash Functions Stefan Lucks University of Mannheim, Germany http://th.informatik.uni-mannheim.de/people/lucks/ Abstract. This paper reconsiders the established Merkle-Damgård
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationSecurity Analysis of Constructions Combining FIL Random Oracles
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Telecom R&D, 38-40 rue du Général Leclerc, F-92794 Issy-les-Moulineaux, France Université de Versailles,
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationMerkle-Damgård Revisited : how to Construct a Hash Function
Merkle-Damgård Revisited : how to Construct a Hash Function Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University of Luxembourg coron@clipper.ens.fr 2 New-York
More informationDesign of Iteration on Hash Functions and its Cryptanalysis
Design of Iteration on Hash Functions and its Cryptanalysis MRIDUL NANDI Applied Statistics Unit Indian Statistical Institute Kolkata - 700108 India. 1 Design of Iteration on Hash Functions and its Cryptanalysis
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationMJH: A Faster Alternative to MDC-2
MJH: A Faster Alternative to MDC-2 Jooyoung Lee 1 and Martijn Stam 2 1 Sejong University, Seoul, Korea, jlee05@sejongackr 2 University of Bristol, Bristol, United Kingdom, martijnstam@bristolacuk Abstract
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationSecurity of Cyclic Double Block Length Hash Functions including Abreast-DM
Security of Cyclic Double Block Length Hash Functions including Abreast-DM Ewan Fleischmann, Michael Gorski, Stefan Lucks {ewan.fleischmann,michael.gorski,stefan.lucks}@uni-weimar.de Bauhaus-University
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationPreimages for Step-Reduced SHA-2
Preimages for Step-Reduced SHA-2 Jian Guo 1 and Krystian Matusiewicz 2 1 Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore guojian@ntu.edu.sg
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationConstructing Cryptographic Hash Functions from Fixed-Key Blockciphers
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers Phillip Rogaway 1 and John Steinberger 2 1 Department of Computer Science, University of California, Davis, USA 2 Department of Mathematics,
More informationCryptanalysis of the GOST Hash Function
Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationChapter 5. Hash Functions. 5.1 The hash function SHA1
Chapter 5 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length
More informationEvaluation Report. Security Level of Cryptography SHA-384 and SHA- 512
Branche Développement France Télécom R&D FTR&D/DTL/SSR/80/HG Evaluation Report Security Level of Cryptography SHA-384 and SHA- 512 Dr. Henri Gilbert Dr. Helena Handschuh France Télécom R&D DTL/SSR Gemplus
More informationMulticollision Attacks on a Class of Hash Functions
Multicollision Attacks on a Class of Hash Functions M. Nandi Applied Statistics Unit Indian Statistical Institute Calcutta, India mridul r@isical.ac.in D. R. Stinson School of Computer Science University
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1, Jérémy Jean 1, Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationRebound Distinguishers: Results on the Full Whirlpool Compression Function
Rebound Distinguishers: Results on the Full Whirlpool Compression Function Mario Lamberger 1, Florian Mendel 1, Christian Rechberger 1, Vincent Rijmen 1,2,3, and Martin Schläffer 1 1 Institute for Applied
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More information