Showing papers by "Florian Mendel published in 2011"

Finding SHA-2 characteristics: searching through a minefield of contradictions

Abstract: In this paper, we analyze the collision resistance of SHA-2 and provide the first results since the beginning of the NIST SHA-3 competition. We extend the previously best known semi-free-start collisions on SHA-256 from 24 to 32 (out of 64) steps and show a collision attack for 27 steps. All our attacks are practical and verified by colliding message pairs. We present the first automated tool for finding complex differential characteristics in SHA-2 and show that the techniques on SHA-1 cannot directly be applied to SHA-2. Due to the more complex structure of SHA-2 several new problems arise. Most importantly, a large amount of contradicting conditions occur which render most differential characteristics impossible. We show how to overcome these difficulties by including the search for conforming message pairs in the search for differential characteristics.

Second-Order differential collisions for reduced SHA-256

Abstract: In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differentials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. We have implemented the attack and provide an example. Our results suggest that the security margin of SHA-256 is much lower than the security margin of most of the SHA-3 finalists in this setting. The techniques employed in this attack are based on a rectangle/boomerang approach and cover advanced search algorithms for good characteristics and message modification techniques. Our analysis also exposes flaws in all of the previously published related-key rectangle attacks on the SHACAL-2 block cipher, which is based on SHA-256. We provide valid rectangles for 48 steps of SHACAL-2.

Higher-Order Differential Attack on Reduced SHA-256.

Abstract: In this work, we study the application of higher-order differential attacks on hash functions. We show a second-order differential attack on the SHA-256 compression function reduced to 46 out of 64 steps. We implemented the attack and give the result in Table 1. The best attack so far (in a different attack model) with practical complexity was for 33 steps of the compression function.

Boomerang distinguisher for the SIMD-512 compression function

Abstract: In this paper, we present a distinguisher for the permutation of SIMD-512 with complexity 2226.52. We extend the attack to a distinguisher for the compression function with complexity 2200.6. The attack is based on the application of the boomerang attack for hash functions. Starting from the middle of the compression function we use techniques from coding theory to search for two differential characteristics, one for the backward direction and one for the forward direction to construct a second-order differential. Both characteristics hold with high probability. The direct application of the second-order differential leads to a distinguisher for the permutation. Based on this differential we extend the attack to distinguisher for the compression function.

Cryptanalysis of Round-Reduced HAS-160

Abstract: HAS-160 is an iterated cryptographic hash function that is standardized by the Korean government and widely used in Korea. In this paper, we present a semi-free-start collision for 65 (out of 80) steps of HAS-160 with practical complexity. The basic attack strategy is to construct a long differential characteristic by connecting two short ones by a complex third characteristic. The short characteristics are constructed using techniques from coding theory. To connect them, we are using an automatic search algorithm for the connecting characteristic utilizing the nonlinearity of the step function.

Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions

Abstract: In this paper, we analyze the collision resistance of SHA-2 and provide the first results since the beginning of the NIST SHA-3 competition. We extend the previously best known semi-free-start collisions on SHA-256 from 24 to 32 (out of 64) steps and show a collision attack for 27 steps. All our attacks are practical and verified by colliding message pairs. We present the first automated tool for finding complex differential characteristics in SHA-2 and show that the techniques on SHA-1 cannot directly be applied to SHA-2. Due to the more complex structure of SHA-2 several new problems arise. Most importantly, a large amount of contradicting conditions occur which render most differential characteristics impossible. We show how to overcome these difficulties by including the search for conforming message pairs in the search for differential characteristics.

Cryptanalysis of round-reduced HAS-160

Abstract: HAS-160 is an iterated cryptographic hash function that is standardized by the Korean government and widely used in Korea. In this paper, we present a semi-free-start collision for 65 (out of 80) steps of HAS-160 with practical complexity. The basic attack strategy is to construct a long differential characteristic by connecting two short ones by a complex third characteristic. The short characteristics are constructed using techniques from coding theory. To connect them, we are using an automatic search algorithm for the connecting characteristic utilizing the nonlinearity of the step function.

Tuple cryptanalysis of ARX with application to BLAKE and Skein

Abstract: We introduce tuple cryptanalysis, a variant of structural cryptanalysis techniques as square, saturation, integral, internal collision, or multiset cryptanalysis, the main difference being that tuple cryptanalysis considers ordered rather than unordered multisets. This allows cryptanalysts to better trace structural properties within a cipher’s internal state. Unlike previous works that focus on S-box based algorithms, structural analysis is applied to ARX constructions, with preliminary results on reduced versions of Skein’s and BLAKE’s ARX cores. Due to its simplicity and efficient verification, tuple cryptanalyis can be used as a security benchmark for ARX schemes.

Practical Attacks on the Maelstrom-0 Compression Function

Abstract: In this paper we present attacks on the compression function of Maelstrom-0. It is based on the Whirlpool hash function standardized by ISO and was designed to be a faster and more robust enhancement. We analyze the compression function and use differential cryptanalysis to construct collisions for reduced variants of the Maelstrom-0 compression function. The attacks presented in this paper are of practical complexity and show significant weaknesses in the construction compared to its predecessor. The methods used are based on recent results in the analysis of AES-based hash functions.

Intermediate Status Report

Abstract: This report was produced in partial fulfillment of contract ICT-2007-216676 (ECRYPT II), sponsored by the European Commission through the ICT Programme. The information in this paper is provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. We present a short overview of the recent results on the five finalists for NIST's SHA-3 competition. The next five chapters treat each one of the finalists.

Practical attacks on the maelstrom-0 compression function

Abstract: In this paper we present attacks on the compression function of Maelstrom-0. It is based on the Whirlpool hash function standardized by ISO and was designed to be a faster and more robust enhancement. We analyze the compression function and use differential cryptanalysis to construct collisions for reduced variants of the Maelstrom-0 compression function. The attacks presented in this paper are of practical complexity and show significant weaknesses in the construction compared to its predecessor. The methods used are based on recent results in the analysis of AES-based hash functions.