Posted Content•
Cryptanalysis of Dynamic SHA(2).
TL;DR: This paper analyzed the hash functions Dynamic SHA and Dynamic SHA2, which have been selected as first round candidates in the NIST hash function competition, and presented a preimage attack on Dynamic SHA that is faster than exhaustive search.
Abstract: In this paper, we analyze the hash functions Dynamic SHA and Dynamic SHA2, which have been selected as first round candidates in the NIST hash function competition. These hash functions rely heavily on data-dependent rotations, similar to certain block ciphers, e.g., RC5. Our analysis suggests that in the case of hash functions, where the attacker has more control over the rotations, this approach is less favorable than in block ciphers. We present practical, or close to practical, collision attacks on both Dynamic SHA and Dynamic SHA2. Moreover, we present a preimage attack on Dynamic SHA that is faster than exhaustive search.
Citations
More filters
Book•
09 Jan 2015
TL;DR: This is a comprehensive description of the cryptographic hash function BLAKE, one of the five final contenders in the NIST SHA3 competition, and ofBLAKE2, an improved version popular among developers and applied cryptography researchers and students who need a consolidated reference and a detaileddescription of the design process, or guidelines on how to design a cryptographic algorithm.
Abstract: This is a comprehensive description of the cryptographic hash function BLAKE, one of the five final contenders in the NIST SHA3 competition, and of BLAKE2, an improved version popular among developers It describes how BLAKE was designed and why BLAKE2 was developed, and it offers guidelines on implementing and using BLAKE, with a focus on software implementation In the first two chapters, the authors offer a short introduction to cryptographic hashing, the SHA3 competition, and BLAKE They review applications of cryptographic hashing, they describe some basic notions such as security definitions and state-of-the-art collision search methods, and they present SHA1, SHA2, and the SHA3 finalists In the chapters that follow, the authors give a complete description of the four instances BLAKE-256, BLAKE-512, BLAKE-224, and BLAKE-384; they describe applications of BLAKE, including simple hashing with or without a salt, and HMAC and PBKDF2 constructions; they review implementation techniques, from portable C and Python to AVR assembly and vectorized code using SIMD CPU instructions; they describe BLAKEs properties with respect to hardware design for implementation in ASICs or FPGAs; they explain BLAKE's design rationale in detail, from NISTs requirements to the choice of internal parameters; they summarize the known security properties of BLAKE and describe the best attacks on reduced or modified variants; and they present BLAKE2, the successor of BLAKE, starting with motivations and also covering its performance and security aspects The book concludes with detailed test vectors, a reference portable C implementation of BLAKE, and a list of third-party software implementations of BLAKE and BLAKE2 The book is oriented towards practice engineering and craftsmanship rather than theory It is suitable for developers, engineers, and security professionals engaged with BLAKE and cryptographic hashing in general, and for applied cryptography researchers and students who need a consolidated reference and a detailed description of the design process, or guidelines on how to design a cryptographic algorithm
42 citations
Cites background from "Cryptanalysis of Dynamic SHA(2)."
...The rotation counts are fixed rather than dependent on the data, to prevent attackers from controlling the operations in order to use “weak rotations,” for example, by forcing all the counts to be zero; history has shown that data-dependent rotations are generally a bad idea [11, 106]....
[...]
...for(i=0; i< 8;++i) v[i] = h[i]; v[ 8] = s[0] ^ 0x243f6a88; v[ 9] = s[1] ^ 0x85a308d3; v[10] = s[2] ^ 0x13198a2e; v[11] = s[3] ^ 0x03707344; v[12] = t[0] ^ 0xa4093822; v[13] = t[0] ^ 0x299f31d0; v[14] = t[1] ^ 0x082efa98; v[15] = t[1] ^ 0xec4e6c89;...
[...]
.../* diagonal step for G4 and G5 */ buf2a = _mm_set_epi64( ( __m64 )m[sig[r][10]], ( __m64 )m[sig[r][ 8]] ); buf1a = _mm_set_epi64( ( __m64 )u[sig[r][11]], ( __m64 )u[sig[r][ 9]] ); buf1a = _mm_xor_si128( buf1a, buf2a ); row1a = _mm_add_epi64( _mm_add_epi64( row1a, buf1a ), row2a ); row4a = _mm_xor_si128( row4a, row1a ); row4a = _mm_xor_si128( _mm_srli_epi64( row4a, 32 ), _mm_slli_epi64( row4a, 32 ) ); row3a = _mm_add_epi64( row3a, row4a ); row2a = _mm_xor_si128( row2a, row3a ); row2a = _mm_xor_si128( _mm_srli_epi64( row2a, 25 ), _mm_slli_epi64( row2a, 39 ) ); buf2a = _mm_set_epi64( ( __m64 )m[sig[r][11]], ( __m64 )m[sig[r][ 9]] );...
[...]
01 Jan 2012
TL;DR: This thesis proposes a novel and elegant proposal of a cryptographic hash function, Hamsi, based on the use of a relatively light underlying primitive in each iteration of the mode of operation, combined with a strong message expansion function.
Abstract: The topic of this thesis is the design and analysis of cryptographic hash functions. A hash function is a map from variable-length input bit strings to fixed-length output bit strings. Despite their simple definition, hash functions play an essential role in a wide area of applications such as digital signature algorithms, message authentication codes, password verification, and key derivation. The main contribution of this thesis is a novel and elegant proposal of a cryptographic hash function. In this thesis, we approach the problem of the design and analysis of cryptographic hash functions with a particular example, the hash function Hamsi. The design of Hamsi is based on the use of a relatively light underlying primitive in each iteration of the mode of operation, combined with a strong message expansion function. We investigate the design constraints of this approach by analyzing Hamsi. In the first part, we cover the design aspects of Hamsi and also propose a variant called Hamsi. In the sequent parts we provide analysis results, namely indifferentiability analysis and collision analysis. Finally, as a separate research study we analyze the initialization of the stream cipher Grain.
15 citations
14 Apr 2014
TL;DR: This paper proposes a security solution for the routing protocol OLSR based on a new approach of asymmetric and dynamic encryption that will properly secure the traffic against potential attacks without decreasing network performances.
Abstract: In mobile ad-hoc networks (MANETs), data transmission is usually performed between mobile entities in an environment without infrastructure. So, data security is a key issue in MANETs. In this paper, we propose a security solution for the routing protocol OLSR. Our system is based on a new approach of asymmetric and dynamic encryption. Our goal is to properly secure the traffic against potential attacks without decreasing network performances.
10 citations
15 Jun 2010
TL;DR: This thesis describes attacks on block ciphers and compression functions and is primarily interested in the methods, that are used in attacks on at least two different primitives.
Abstract: Cryptography is the science of hiding information. It is now a part of the computer science formally, though first cryptographers appeared thousands years before the computer. The art of recovery of the hidden information, or cryptanalysis, appeared in the very beginning, and is still one of the most intriguing part of cryptography. Cryptanalysis starts with a search for a weakness in a cryptosystem, for a flaw that was missed by its designer. An encrypted message must not reveal any information about its origin, so the cryptosystem must make it look as random as possible. Any mistake, any missed property may become a target for a cryptanalyst and a starting point for a compromise of the cryptosystem’s security — a break. This thesis is devoted to the cryptanalysis of symmetric primitives. Historically, by a symmetric encryption we understand that all the parties have the same information needed for encryption and decryption, with block and stream ciphers as the most famous examples. A block cipher transforms a large block of data with an algorithm parametrized by a secret key. A stream cipher expands a secret key into arbitrarily long sequence, which is mixed with a data stream. Hash functions convert a data string to a fixed-length hash value, which serves as an integrity certificate. Though hash functions do not encrypt, they are designed similarly to block ciphers. A message authentication code (MAC) produces a hash value using a secret key, so they are somewhere in between ciphers and hash functions. As a result, the cryptanalysis of hash functions and MACs uses many methods, which were initially developed for the analysis of block ciphers. Ciphers, hash functions and MACs process arbitrarily long data streams, the access to which is sequential. This leads to the principle of an iterative design, where data is divided into blocks, and each block is processed by an algorithm with a fixed-length input. Such algorithms for hash functions are called compression functions. In contrast, by a block cipher we mean a primitive with a fixed-length input, which is used to encrypt arbitrary long data in a mode of operation. This thesis describes attacks on block ciphers and compression functions. We are primarily interested in the methods, that are used in attacks on at least two different primitives. Cryptanalysis is often described as a cloud of non-related and dedicated attacks, which can be used only once. We introduce it in a more structured way.
10 citations
01 Jul 2011
TL;DR: This survey is devoted to the cryptanalysis of symmetric primitives, and is primarily interested in the methods that are used in attacks on at least two different primitives.
Abstract: Cryptography is the science of hiding information. It is now a part of the computer science formally, though fi rst cryptographers appeared thousands years before the computer. The art of recovery of the hidden information, or cryptanalysis, appeared in the very beginning, and is still one of the most intriguing part of cryptography.
9 citations
References
More filters
22 May 2005
TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.
Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.
1,583 citations
14 Dec 1994
TL;DR: This document describes the RC5 encryption algorithm, a fast symmetric block cipher suitable for hardware or software implementations and a novel feature of RC5 is the heavy use of data-dependent rotations.
Abstract: This document describes the RC5 encryption algorithm, a fast symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of data-dependent rotations. RC5 has a variable word size, a variable number of rounds, and a variable-length secret key. The encryption and decryption algorithms are exceptionally simple.
894 citations
22 May 2005
TL;DR: In this article, the Damgard-Merkle construction is used to construct expandable messages for any n-bit iterated hash function, which requires only a small multiple of the work done to find a single collision in the hash function.
Abstract: We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgard-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2k-message-block message with about k × 2n/2+1 + 2n−k+1 work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 260 byte message in about 2106 work, rather than the previously expected 2160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgard-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.
381 citations
03 Dec 2006
TL;DR: A method to search for characteristics in an automatic way for multi-block attacks, and as a proof of concept, gives a two-block collision for 64-step SHA-1 based on a new characteristic.
Abstract: The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.
286 citations
28 May 2006
TL;DR: A new attack on Damgard-Merkle hash functions is developed, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of amessage to that hash value by the choice of an appropriate suffix.
Abstract: In this paper, we develop a new attack on Damgard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damgard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value.
225 citations