Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family
|
|
- Horatio O’Connor’
- 6 years ago
- Views:
Transcription
1 Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family Somitra Kr. Sanadhya and Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute, Kolkata India {somitra_r, ISC, Taipei, 17 th September 2008 Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
2 Cryptographic Hash functions À ÙÒØ ÓÒ h x h(x) {0, 1} {0, 1} n Fixed size Fingerprint" of arbitrary length data. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
3 Cryptographic Hash functions Used in : Verifying integrity of data. Digital signatures. Storing authentication information (Passwords).... Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
4 Hash function Security Requirements Collision resistance. Difficult to find x 1 and x 2 s.t. x 1 x 2 but h(x 1 ) = h(x 2 ) Preimage resistance. Given y, it is difficult to find an x s.t. h(x) = y Second Preimage resistance. Given x 1, it is difficult to find an x 2 s.t. x 1 x 2 but h(x 1 ) = h(x 2 ) Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
5 Merkle-Damgard Hash Design M 1 M 2 M k ÁÎ = h 0 f f f g h(m) h 1 h 2 h k Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
6 Hash Function Schema (for one block message) ÜÔ Ò Å ÁÎ W0 ËØ Ô ½ W1 ËØ Ô ¾ Å M0 M15 À ÇÙØÔÙØ Wn 2 ËØ Ô n 1 Wn 1 ËØ Ô n Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
7 Figure: Round function of SHA-2 family a i 1 b i 1 c i 1 d i 1 e i 1 f i 1 g i 1 h i K i + f MAJ f IF + + W i + + a i b i c i d i e i f i g i h i Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
8 The Notation Message words : I : {W 0, W 1,..., W 15 }, II: {W 0, W 1,..., W 15 }. These message words are then expanded upto W 20 and W 20 for this work. The word W i is used in Step i, where the index i starts from zero. Differences {δw 0,δW 1,...,δW 15 }. W i = W i + δw i. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
9 The Local Collision Ö Ø Ö = 0 ËØ Ô i W i ËØ Ô i W i + W i ËØ Ô i + 1 W i+1 ËØ Ô i + 1 W i+1 + W i+1 COPY 1 COPY 2 ËØ Ô i + 8 W i+8 ËØ Ô i + 8 W i+8 + W i+8 Ö Ø Ö = 0 Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
10 9-step Non-Linear Local Collision Step i δw i δa i δb i δc i δd i δe i δf i δg i δh i i i x x x i + 1 δw i+1 0 x 0 0 y x 0 0 i + 2 δw i x 0 z y x 0 i + 3 δw i x 0 z y x i + 4 δw i x 0 z y i + 5 δw i x 0 z i + 6 δw i x 0 i + 7 δw i x i + 8 x Nikolić-Biryukov (NB) : FSE 08 = {x, y, z}={1, 1, 0}; 2. Sanadhya-Sarkar (SS) : ACISP 08 = {x, y, z}={1, 1, 1} Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
11 The Cross Dependence Equation We note a special and simple relation in the a and the e register. For example, e i = d i 1 + Σ 1 (e i 1 ) + f IF (e i 1, f i 1, g i 1 ) + h i 1 + K i + W i = d i 1 + a i Σ 0 (a i 1 ) f MAJ (a i 1, b i 1, c i 1 ) = a i 4 + a i Σ 0 (a i 1 ) f MAJ (a i 1, a i 2, a i 3 ). (1) This relationship shows that the e register solely depends on the a register values of previous 5 steps. This relation also shows that the state update of the SHA-2 family can be written in terms of one variable only, as was also independently observed by Indesteege et al. (SAC 08). Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
12 Constructing the 21-Step SHA-2 Attack Have a single local collision spanning from Step 6 to Step 14. We take other message words to have no differences. That is δw i = 0 for i {0, 1, 2, 3, 4, 5, 15}. For the SS local collision, we have δw i = 0 for i {10, 11, 12, 13}. First 5 steps of message expansion of SHA-2 are shown next. W 16 = σ 1 (W 14 ) + W 9 + σ 0 (W 1 ) + W 0, W 17 = σ 1 (W 15 ) + W 10 + σ 0 (W 2 ) + W 1, W 18 = σ 1 (W 16 ) + W 11 + σ 0 (W 3 ) + W 2, W 19 = σ 1 (W 17 ) + W 12 + σ 0 (W 4 ) + W 3, W 20 = σ 1 (W 18 ) + W 13 + σ 0 (W 5 ) + W 4. Underlined terms may have non-zero differences. If W 16 = W 16 i.e. δw 16 = 0 then we have a 21-step collision. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
13 Constructing the 21-Step SHA-2 Attack W 16 = σ 1 (W 14 ) + W 9 + σ 0 (W 1 ) + W 0. δw 14 = 1. I.e. δw 16 = 0, = σ 1 (W 14 ) + W 9 = σ 1 (W 14 ) + W 9. I.e. δw 9 = σ 1 (W 14 ) σ 1 (W 14 1). In ACISP 08, we developed an improved probabilistic attack using the fact that the term σ 1 (X) σ 1 (X 1) is highly skewed. We created a list of pairs (X,σ 1 (X) σ 1 (X 1)). Now we can make the attack deterministic. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
14 Constructing the 21-Step SHA-2 Attack The SS local collision allows δw 9 to be set to any value. Even though σ 1 (W 14 ) σ 1 (W 14 1) is highly skewed, we can suitably choose δw 9 so as to satisfy the equality of these two terms. This allows the deterministic 21-step SHA-2 attack. Prior work had not been able to show 21-step SHA-512 collisions. We provide the first colliding message pair for 21-step SHA-512. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
15 Constructing the 21-Step SHA-2 Attack There are two different 21-step SHA-2 attacks in this work. Both the attacks are deterministic. There are 6 free words in the first attack. There are 5 free words in the second attack. In the first attack, the SS local collision has 4 consecutive δw i = 0. In the first attack, the SS local collision has 3 consecutive δw i = 0. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
16 The Case of the NB Local Collision δw 9 depends on e 6, e 7 and e 8. Assuming that these three register values are random, we have that Pr[δW 9 2 j ] < 1 2 j 1. I.e. δw 9 rarely takes very large values. On the other hand, for SHA-512, we have that σ 1 (X) σ 1 (X 1) ( ). The two lemmas above show that, using the NB local collision, obtaining equality of the two terms is very unlikely for SHA-512. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
17 The Case of the NB Local Collision More generally, if the NB local collision is started at Step i, then δw i+3 depends on e i, e i+1 and e i+2. Assuming that these three register values are random, we have that Pr[δW i+3 2 j ] < 1 2 j 1. But we still need to satisfy the equality δw i+3 = σ 1 (W i+8 ) σ 1 (W i+8 1). Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
18 Bridging the Gap for the NB Local Collision First of all, note that δw i+3 = f IF (e i+2, e i+1 1, e i ) + f IF (e i+2, e i+1, e i ). It is possible to ensure that the values of the registers e i+2, e i+1 and e i are such that the term δw i+3 is large. This allows attaining the equality possible. But, to attain such values of e i+2, e i+1 and e i, one needs to iterate over many initial words. = Equality is achieved at the cost of more work in the beginning of the search for message words. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
19 Recent work on SHA-2 22-step Deterministic SHA-512 Attack. (IACR eprint) 23-step SHA-512 attack with effort calls. (CoRR archive) 24-step SHA-512 attack with effort calls. (CoRR archive) Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
20 Thank You The Organizers & The Audience. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20
New Collision attacks Against Up To 24-step SHA-2
New Collision attacks Against Up To 24-step SHA-2 Somitra Kumar Sanadhya and Palash Sarkar Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata, India 700108. somitra r@isical.ac.in,
More informationEvaluation Report. Security Level of Cryptography SHA-384 and SHA- 512
Branche Développement France Télécom R&D FTR&D/DTL/SSR/80/HG Evaluation Report Security Level of Cryptography SHA-384 and SHA- 512 Dr. Henri Gilbert Dr. Helena Handschuh France Télécom R&D DTL/SSR Gemplus
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationNon-Linear Reduced Round Attacks Against SHA-2 Hash family
Non-Linear Reduced Round Attacks Against SHA-2 Hash family Somitra Kumar Sanadhya and Palash Sarkar Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata, India 700108. somitra
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationDomain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration
Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 203, B.T. Road,
More informationAttacking Reduced Round SHA-256
Attacking Reduced Round SHA-256 Somitra Kumar Sanadhya and Palash Sarkar Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata, India 70008. somitra r@isical.ac.in, palash@isical.ac.in
More informationPreimages for Step-Reduced SHA-2
Preimages for Step-Reduced SHA-2 Jian Guo 1 and Krystian Matusiewicz 2 1 Division of Mathematical Sciences School of Physical and Mathematical Sciences Nanyang Technological University, Singapore guojian@ntu.edu.sg
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationH Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.
Definition - hash function Cryptographic Hash Functions - Introduction Lars R. Knudsen April 21, 2008 Located in the southernmost part of Europe with an artic climate, Hotel Finse 1222 provides the perfect
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationImproved Collision Search for SHA-0
Improved Collision Search for SHA-0 Yusuke Naito 1, Yu Sasaki 1, Takeshi Shimoyama 2, Jun Yajima 2, Noboru Kunihiro 1, and Kazuo Ohta 1 1 The University of Electro-Communications, Japan {tolucky,yu339,kunihiro,ota}@ice.uec.ac.jp
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationPractical Free-Start Collision Attacks on 76-step SHA-1
Practical Free-Start Collision Attacks on 76-step SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens CWI, Amsterdam 2015
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationMasking Based Domain Extenders for UOWHFs: Bounds and Constructions
Masking Based Domain Extenders for UOWHFs: Bounds and Constructions Palash Sarkar Cryptology Research Group, Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata 700108, India
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationConstruction of universal one-way hash functions: Tree hashing revisited
Discrete Applied Mathematics 155 (2007) 2174 2180 www.elsevier.com/locate/dam Note Construction of universal one-way hash functions: Tree hashing revisited Palash Sarkar Applied Statistics Unit, Indian
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationPractical Free-Start Collision Attacks on full SHA-1
Practical Free-Start Collision Attacks on full SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens Séminaire Cryptologie
More informationCryptanalysis of 1-Round KECCAK
Cryptanalysis of 1-Round KECCAK Rajendra Kumar 1,Mahesh Sreekumar Rajasree 1 and Hoda AlKhzaimi 2 1 Center for Cybersecurity, Indian Institute of Technology Kanpur, India rjndr@iitk.ac.in, mahesr@iitk.ac.in
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationNew Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafael Chen New Techniques for Cryptanalysis of Cryptographic Hash Functions Research Thesis Submitted in partial fulfillment of the requirements
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationContributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions
Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationQuantum Preimage and Collision Attacks on CubeHash
Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, Gaetan.Leurent@uni.lu Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationPreimage Attacks on 3, 4, and 5-pass HAVAL
Preimage Attacks on 3, 4, and 5-pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationA Sufficient Condition for Optimal Domain Extension of UOWHFs
A Sufficient Condition for Optimal Domain Extension of UOWHFs Mridul Nandi Applied Statistics Unit, Indian Statistical Institute mridul r@isical.ac.in Abstract. In this paper we will provide a non-trivial
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1, Jérémy Jean 1, Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationIntroduction Description of MD5. Message Modification Generate Messages Summary
How to Break MD5 and other hash functions Xiaoyun Wang and Hongbo Yu (China) Presented by: Saar Benodiz May 2012 Outline Introduction Description of MD5 Differential Attack for Hash Functions Message Modification
More informationMartin Cochran. August 24, 2008
Notes on the Wang et al. 2 63 SHA-1 Differential Path Martin Cochran August 24, 2008 Abstract Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a2 63 attack by Wang
More informationCryptanalysis of Edon-R
Cryptanalysis of Edon-R Dmitry Khovratovich, Ivica Nikolić, and Ralf-Philipp Weinmann University of Luxembourg Abstract. We present various types of attacks on the hash family Edon- R. In a free start
More informationPractical consequences of the aberration of narrow-pipe hash designs from ideal random functions
Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions Danilo Gligoroski 1 and Vlastimil Klima 2 1 Faculty of Information Technology, Mathematics and Electrical
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationOptimization of Tree Modes for Parallel Hash Functions : A case study
Optimization of Tree Modes for Parallel Hash Functions : A case study Kevin Atighehchi, Robert Rolland To cite this version: Kevin Atighehchi, Robert Rolland. Optimization of Tree Modes for Parallel Hash
More informationHash functions and Cayley graphs: The end of the story?
Hash functions and Cayley graphs: The end of the story? Christophe Petit Microelectronics Laboratory Ch. Petit - Montréal WCSC - April 2010 1 Hash functions H : {0, 1} {0, 1} n Microelectronics Laboratory
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationImproved Generic Attacks Against Hash-based MACs and HAIFA
Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur 1 and Gaëtan Leurent 2 1 Département d Informatique, École Normale Supérieure, Paris, France Itai.Dinur@ens.fr 2 Inria, EPI SECRET,
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1,Jérémy Jean 1(B),Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationHash Function Balance and its Impact on Birthday Attacks
Hash Function Balance and its Impact on Birthday Attacks Mihir Bellare 1 and Tadayoshi Kohno 1 Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive, La Jolla,
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More information