A combinatorial analysis of recent attacks on step reduced SHA-2 family
TL;DR: This analysis explains in a unified way the recent attacks against reduced round SHA-2 in a general class of local collisions and shows that the previously used local collision by Nikolić and Biryukov and Sanadhya and Sarkar are special cases.
Abstract: We perform a combinatorial analysis of the SHA-2 compression function. This analysis explains in a unified way the recent attacks against reduced round SHA-2. We start with a general class of local collisions and show that the previously used local collision by Nikolic and Biryukov (NB) and Sanadhya and Sarkar (SS) are special cases. The study also clarifies several advantages of the SS local collision over the NB local collision. Deterministic constructions of up to 22-round SHA-2 collisions are described using the SS local collision and up to 21-round SHA-2 collisions are described using the NB local collision. For 23 and 24-round SHA-2, we describe a general strategy and then apply the SS local collision to this strategy. The resulting attacks are faster than those proposed by Indesteege et al using the NB local collision. We provide colliding message pairs for 22, 23 and 24-round SHA-2. Although these attacks improve upon the existing reduced round SHA-256 attacks, they do not threaten the security of the full SHA-2 family.1
Citations
More filters
TL;DR: It is shown that a secure and practical implementation of ECIES can only be compatible with two of the four previously mentioned standards, and the list of functions and options that must be used in such an implementation is provided.
Abstract: The most popular encryption scheme based on elliptic curves is the Elliptic Curve Integrated Encryption Scheme ECIES, which is included in ANSI X9.63, IEEE 1363a, ISO/IEC 18033-2, and SECG SEC 1. These standards offer many ECIES options, not always compatible, making it difficult to decide what parameters and cryptographic elements to use in a specific deployment scenario. In this work, the authors show that a secure and practical implementation of ECIES can only be compatible with two of the four previously mentioned standards. They also provide the list of functions and options that must be used in such an implementation. Finally, they present the results obtained when testing this ECIES version implemented as a Java application, which allows them to offer some comments about the performance and feasibility of their proposed solution.
25 citations
10 Mar 2009
TL;DR: The general idea of "multiple feed-forward" for the construction of cryptographic hash functions is introduced, which can provide increased resistance to the Chabaud-Joux type "perturbation-correction" collision attacks.
Abstract: In this work, we study several properties of the SHA-2 design which have been utilized in recent collision attacks against reduced round SHA-2. Small modifications to the SHA-2 design are suggested to thwart these attacks. The modified round function provides the same resistance to linearization attacks as the original SHA-2 round function, but, provides better resistance to non-linear attacks. Our next contribution is to introduce the general idea of "multiple feed-forward" for the construction of cryptographic hash functions. This can provide increased resistance to the Chabaud-Joux type "perturbation-correction" collision attacks. The idea of feed-forward is taken further by introducing the idea of feed-forward across message blocks leading to resistance against generic multi-collision attacks. The net effect of the suggested changes to the SHA-2 design has insignificant impact on the efficiency of computing the digest.
7 citations
Cites background from "A combinatorial analysis of recent ..."
...The idea of feed-forward is taken further by introducing the idea of feed-forward across message blocks leading to resistance against generic multi-collision attacks....
[...]
TL;DR: Two approaches to reduce the number of logic gates at S7 and S9 of MISTY1 in order to reduced the total delay time, power dissipation and silicon area are presented and could be fit for next generation of handheld and portable devices.
Abstract: The demand for high performance, low power/secured handheld equipment increased the need for high speed/low energy and efficient encryption/decryption algorithms. Recently, efficient techniques wer...
2 citations
References
More filters
14 Aug 2005
TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.
Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.
1,600 citations
"A combinatorial analysis of recent ..." refers background in this paper
...The NIST standard SHA-1 family was theoretically cryptanalysed in [24] (though, till date, a colliding message pair for SHA-1 remains to be found)....
[...]
...Following the works in [24, 25], there have been attacks [9, 22] on MD5 with improved time complexities and/or providing collisions of structured messages....
[...]
22 May 2005
TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.
Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.
1,583 citations
"A combinatorial analysis of recent ..." refers background or methods in this paper
...Having determined W[25, 18] we next determine W[29, 26] using positions 22 to 19 of Fig....
[...]
...Define X = (D 19) + (W[25, 18] 1) + c0 and Y = (W[14, 0] 5) ⊕ (W[25, 18] 4)....
[...]
...This was followed by partial attacks on MD5 with full cryptanalysis of MD5 and other hash functions coming recently [23, 25]....
[...]
...Following the works in [24, 25], there have been attacks [9, 22] on MD5 with improved time complexities and/or providing collisions of structured messages....
[...]
01 Jul 1989
TL;DR: Apart from suggesting a generally sound design principle for hash functions, the results give a unified view of several apparently unrelated constructions of hash functions proposed earlier, and suggests changes to other proposed constructions to make a proof of security potentially easier.
Abstract: We show that if there exists a computationally collision free function f from m bits to t bits where m > t, then there exists a computationally collision free function h mapping messages of arbitrary polynomial lengths to t-bit strings.Let n be the length of the message, h can be constructed either such that it can be evaluated in time linear in n using 1 processor, or such that it takes time O(log(n)) using O(n) processors, counting evaluations of f as one step. Finally, for any constant k and large n, a speedup by a factor of k over the first construction is available using k processors.Apart from suggesting a generally sound design principle for hash functions, our results give a unified view of several apparently unrelated constructions of hash functions proposed earlier. It also suggests changes to other proposed constructions to make a proof of security potentially easier.We give three concrete examples of constructions, based on modular squaring, on Wolfram's pseudoranddom bit generator [Wo], and on the knapsack problem.
1,284 citations
"A combinatorial analysis of recent ..." refers methods in this paper
...The most famous families of CRHFs are the SHA-families standardized by NIST [21] of USA and are based on the iterative Merkle-Damgård (MD) [3, 12] type of hash functions designed by Rivest....
[...]
PARC1
TL;DR: This work shows three one-way hash functions which are secure if DES is a good random block cipher.
Abstract: One way hash functions are a major tool in cryptography. DES is the best known and most widely used encryption function in the commercial world today. Generating a one-way hash function which is secure if DES is a "good" block cipher would therefore be useful. We show three such functions which are secure if DES is a good random block cipher.
1,001 citations
"A combinatorial analysis of recent ..." refers methods in this paper
...The most famous families of CRHFs are the SHA-families standardized by NIST [21] of USA and are based on the iterative Merkle-Damgård (MD) [3, 12] type of hash functions designed by Rivest....
[...]