Author

# Xiaoyun Wang

Other affiliations: University of Hong Kong, Shandong University, Chinese Ministry of Education

Bio: Xiaoyun Wang is an academic researcher from Tsinghua University. The author has contributed to research in topic(s): Block cipher & Collision attack. The author has an hindex of 21, co-authored 73 publication(s) receiving 5276 citation(s). Previous affiliations of Xiaoyun Wang include University of Hong Kong & Shandong University.

Topics: Block cipher, Collision attack, Hash function, Preimage attack, MD4

##### Papers

More filters

••

14 Aug 2005

TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.

Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.

1,545 citations

••

22 May 2005

TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.

Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

1,517 citations

••

22 May 2005

Abstract: MD4 is a hash function developed by Rivest in 1990 It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations In this paper, we present a new attack on MD4 which can find a collision with probability 2−2 to 2−6, and the complexity of finding a collision doesn't exceed 28 MD4 hash operations Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28 Furthermore, we show that for a weak message, we can find another message that produces the same hash value The complexity is only a single MD4 computation, and a random message is a weak message with probability 2−122
The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations

483 citations

••

14 Aug 2005

TL;DR: Using the new techniques, this paper can find collisions of the full 80-step SHA-0 with complexity less than 239 hash operations.

Abstract: In this paper, we present new techniques for collision search in the hash function SHA-0. Using the new techniques, we can find collisions of the full 80-step SHA-0 with complexity less than 239 hash operations.

441 citations

•

TL;DR: In 1993 Bert den Boer and Antoon Bosselaers found pseudo-collision for MD5 which is made of the same message with two different sets of initial value.

Abstract: MD5 is the hash function designed by Ron Rivest [9] as a strengthened version of MD4[8]. In 1993 Bert den Boer and Antoon Bosselaers [1] found pseudo-collision for MD5 which is made of the same message with two different sets of initial value. H. Dobbertin[3] found another kind of collision which consists of two different 512-bit messages with a chosen initial value I

399 citations

##### Cited by

More filters

••

04 Oct 2019

TL;DR: Permission to copy without fee all or part of this material is granted provided that the copies arc not made or distributed for direct commercial advantage.

Abstract: Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian.In this paper a computational complexity theory of the “knowledge” contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.

1,954 citations

••

14 Aug 2005

TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.

Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.

1,545 citations

••

22 May 2005

TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.

Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

1,517 citations

•

TL;DR: This work presents a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficientlylarge.

Abstract: An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of copyrighted function which was presented by Naccache, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based copyrighted function. Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightly larger (constant) overhead, however, it additionally achieves efficient black-box traitor tracing (against any pirate construction).

649 citations

••

01 Jan 2007

TL;DR: This chapter provides a survey of attacks and countermeasures in MANET and puts forward an overview of MANET intrusion detection systems (IDS), which are reactive approaches to thwart attacks and used as a second line of defense.

Abstract: Security is an essential service for wired and wireless network communications. The success of mobile ad hoc network (MANET) will depend on people ’s confidence in its security. However, the characteristics of MANET pose both challenges and opportunities in achieving security goals, such as confidentiality, authentication, integrity, availability, access control, and non-repudiation. We provide a survey of attacks and countermeasures in MANET in this chapter. The countermeasures are features or functions that reduce or eliminate security vulnerabilities and attacks. First, we give an overview of attacks according to the protocol layers, and to security attributes and mechanisms. Then we present preventive approaches following the order of the layered protocol layers. We also put forward an overview of MANET intrusion detection systems (IDS), which are reactive approaches to thwart attacks and used as a second line of defense.

639 citations