Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Finding SHA-2 characteristics: searching through a minefield of contradictions

Abstract: In this paper, we analyze the collision resistance of SHA-2 and provide the first results since the beginning of the NIST SHA-3 competition. We extend the previously best known semi-free-start collisions on SHA-256 from 24 to 32 (out of 64) steps and show a collision attack for 27 steps. All our attacks are practical and verified by colliding message pairs. We present the first automated tool for finding complex differential characteristics in SHA-2 and show that the techniques on SHA-1 cannot directly be applied to SHA-2. Due to the more complex structure of SHA-2 several new problems arise. Most importantly, a large amount of contradicting conditions occur which render most differential characteristics impossible. We show how to overcome these difficulties by including the search for conforming message pairs in the search for differential characteristics.

New Collision Attacks against Up to 24-Step SHA-2

Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24-step SHA-256 attacks are respectively 211.5 and 228.5 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 216.5 and 232.5 calls. Using a look-up table having 232 (resp. 264) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 215.5 (resp. 222.5) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE '08. The reported computational efforts are 218 and 228.5 for 23 and 24-step SHA-256 respectively and 243.9 and 253 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

New Collision attacks Against Up To 24-step SHA-2.

Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP ’08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24step SHA-256 attacks are respectively 2 and 2 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 2 and 2 calls. Using a look-up table having 2 (resp. 2) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 2 (resp. 2) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE ’08. The reported computational efforts are 2 and 2 for 23 and 24-step SHA-256 respectively and 2 and 2 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

Information Security and Cryptology - ICISC 2007 : 10th International Conference Seoul, Korea, November 29-30, 2007 : proceedings

Abstract: Cryptanalysis - I.- Cryptanalysis of a Hash Function Proposed at ICISC 2006.- Cryptanalysis of Reduced Versions of the HIGHT Block Cipher from CHES 2006.- A Cryptanalysis of the Double-Round Quadratic Cryptosystem.- A Lightweight Privacy Preserving Authentication and Access Control Scheme for Ubiquitous Computing Environment.- Establishing RBAC-Based Secure Interoperability in Decentralized Multi-domain Environments.- Handling Dynamic Information Release.- Cryptanalysis - II.- Improving the Time Complexity of Matsui's Linear Cryptanalysis.- On Large Distributions for Linear Cryptanalysis.- Passive Attacks on a Class of Authentication Protocols for RFID.- Side Channel Attacks on Irregularly Decimated Generators.- Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module.- Filesystem Activity Following a SSH Compromise: An Empirical Study of File Sequences.- A Secure Virtual Execution Environment for Untrusted Code.- Liveness Detection of Fingerprint Based on Band-Selective Fourier Spectrum.- Improving Upon the TET Mode of Operation.- Hash Functions - I.- New Local Collisions for the SHA-2 Hash Family.- Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL.- Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4.- New Results on Impossible Differential Cryptanalysis of Reduced AES.- A Note About the Traceability Properties of Linear Codes.- Power Analysis Attacks on MDPL and DRSL Implementations.- Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier.- Generalized MMM-Algorithm Secure Against SPA, DPA, and RPA.- Pairing-Friendly Elliptic Curves with Small Security Loss by Cheon's Algorithm.- Hash Functions - II.- Analysis of Multivariate Hash Functions.- Colliding Message Pair for 53-Step HAS-160.- Weaknesses in the HAS-V Compression Function.- Security-Preserving Asymmetric Protocol Encapsulation.

Inductive analysis of security protocols in Isabelle/HOL with applications to electronic voting

Abstract: Security protocols are predefined sequences of message exchanges. Their uses over computer networks aim to provide certain guarantees to protocol participants. The sensitive nature of many applications resting on protocols encourages the use of formal methods to provide rigorous correctness proofs. This dissertation presents extensions to the Inductive Method for protocol verification in the Isabelle/HOL interactive theorem prover. The current state of the Inductive Method and of other protocol analysis techniques are reviewed. Protocol composition modelling in the Inductive Method is introduced and put in practice by holistically verifying the composition of a certification protocol with an authentication protocol. Unlike some existing approaches, we are not constrained by independence requirements or search space limitations. A special kind of identity-based signatures, auditable ones, are specified in the Inductive Method and integrated in an analysis of a recent ISO/IEC 9798-3 protocol. A side-by-side verification features both a version of the protocol with auditable identity-based signatures and a version with plain ones. The largest part of the thesis presents extensions for the verification of electronic voting protocols. Innovative specification and verification strategies are described. The crucial property of voter privacy, being the impossibility of knowing how a specific voter voted, is modelled as an unlinkability property between pieces of information. Unlinkability is then specified in the Inductive Method using novel message operators. An electronic voting protocol by Fujioka, Okamoto and Ohta is modelled in the Inductive Method. Its classic confidentiality properties are verified, followed by voter privacy. The approach is shown to be generic enough to be re-usable on other protocols while maintaining a coherent line of reasoning. We compare our work with the widespread process equivalence model and examine respective strengths.

Fast Software Encryption

Abstract: RC6 has been submitted as a candidate for the Advanced Encryption Standard (AES). Two important features of RC6 that were absent from its predecessor RC5 are a quadratic function and a fixed rotation. By examining simplified variants that omit these features we clarify their essential contribution to the overall security of RC6.

Polynomial reconstruction based cryptography

Abstract: Cryptography and Coding Theory are closely knitted in many respects Recently, the problem of Decoding Reed Solomon Codes (aka Polynomial Reconstruction) was suggested as an intractability assumption upon which the security of cryptographic protocols can be based This has initiated a line of research that exploited the rich algebraic structure of the problem and related subproblems of which in the cryptographic setting Here we give a short overview of recent works on the subject and the novel applications that were enabled due to this development

Differential collisions in SHA-0

Abstract: In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-O with complexity 2 61 , which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.

Security analysis of SHA-256 and sisters

Abstract: This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak : whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.