Collisions on SHA-0 in One Hour
10 Feb 2008-pp 16-35
TL;DR: This paper shows that the previous perturbation vectors used in all known attacks are not optimal and provides a new 2-block one and is able to produce the best collision attack against SHA-0 so far, with a measured complexity of 233,6hash function calls.
Abstract: At Crypto 2007, Joux and Peyrin showed that the boomerang attack, a classical tool in block cipher cryptanalysis, can also be very useful when analyzing hash functions. They applied their new theoretical results to SHA and provided new improvements for the cryptanalysis of this algorithm. In this paper, we concentrate on the case of SHA-0 . First, we show that the previous perturbation vectors used in all known attacks are not optimal and we provide a new 2-block one. The problem of the possible existence of message modifications for this vector is tackled by the utilization of auxiliary differentials from the boomerang attack, relatively simple to use. Finally, we are able to produce the best collision attack against SHA-0 so far, with a measured complexity of 233,6hash function calls. Finding one collision for SHA-0 takes us approximatively one hour of computation on an average PC.
Citations
More filters
2,687 citations
20 Aug 2017
TL;DR: The SHA-1 hash function standard was deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks as mentioned in this paper, and was replaced by the SHA-2 standard.
Abstract: SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks.
239 citations
Journal Article•
TL;DR: SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks.
Abstract: SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks.
176 citations
Cites background from "Collisions on SHA-0 in One Hour"
...Joux and Peyrin then noted that sufficient conditions for the local collision can be pre-satisfied when creating the initial partial solution, effectively leading to probability-one local collisions....
[...]
...The best current such attack on SHA-0 is due to Manuel and Peyrin [27], and requires the equivalent of about 2 calls to the compression function....
[...]
...A nice improvement of the original neutral bits technique was ultimately described by Joux and Peyrin as “boomerangs” [19]....
[...]
...The best current such attack on SHA-0 is due to Manuel and Peyrin [27], and requires the equivalent of about 233.6 calls to the compression function....
[...]
TL;DR: It is shown that all published disturbance vectors can be classified into two types of vectors, type-I and type-II, and a deterministic algorithm is presented which produces efficient disturbance vectors with respect to any given cost function.
Abstract: The main contribution of this paper is to provide a classification of disturbance vectors used in differential collision attacks against $${\tt{SHA}-1}$$ . We show that all published disturbance vectors can be classified into two types of vectors, type-I and type-II. We present a deterministic algorithm which produce efficient disturbance vectors with respect to any given cost function. We define two simple cost functions to evaluate the efficiency of a candidate disturbance vector. Using our algorithm and those cost function we retrieved all previously known vectors and found that the most efficient disturbance vector is the one first reported as Codeword2 by Jutla and Patthak, A matching lower bound on the minimum weight of SHA-1 expansion code. Cryptology ePrint Archive, Report 2005/266, (2005). We also present a statistical evaluation of local collisions' holding probabilities and show that the common assumption of local collision independence is flawed.
81 citations
Additional excerpts
...– conditions counting [8, 17–20] and, – probabilities computation [1–6, 10]....
[...]
...Many researches have discussed collision attacks against SHA-0 and SHA-1 [5, 1, 2, 18– 20, 3, 11, 17, 4, 6, 8]....
[...]
TL;DR: This paper presents attacks on up to four rounds of AES that require at most three known/chosen plaintexts, and applies these attacks to cryptanalyze an AES-based stream cipher, and to mount the best known plaintext attack on six-round AES.
Abstract: The majority of current attacks on reduced-round variants of block ciphers seeks to maximize the number of rounds that can be broken, using less data than the entire codebook and less time than exhaustive key search. In this paper, we pursue a different approach, restricting the data available to the adversary to a few plaintext/ciphertext pairs. We argue that consideration of such attacks (which received little attention in recent years) improves our understanding of the security of block ciphers and of other cryptographic primitives based on block ciphers. In particular, these attacks can be leveraged to more complex attacks, either on the block cipher itself or on other primitives (e.g., stream ciphers, MACs, or hash functions) that use a small number of rounds of the block cipher as one of their components. As a case study, we consider the Advanced Encryption Standard (AES)-the most widely used block cipher. The AES round function is used in many cryptographic primitives, such as the hash functions Lane, SHAvite-3, and Vortex or the message authentication codes ALPHA-MAC, Pelican, and Marvin. We present attacks on up to four rounds of AES that require at most three known/chosen plaintexts. We then apply these attacks to cryptanalyze an AES-based stream cipher (which follows the leak extraction methodology), and to mount the best known plaintext attack on six-round AES.
66 citations
References
More filters
Book•
01 Jan 1996TL;DR: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols.
Abstract: From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.
13,597 citations
2,687 citations
14 Aug 2005
TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.
Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.
1,600 citations
22 May 2005
TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.
Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.
1,583 citations