scispace - formally typeset
Search or ask a question
Book ChapterDOI

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

15 Sep 2008-pp 244-259
TL;DR: Two different deterministic attacks against 21-step SHA-2 hash family are constructed, and it is provided evidence that the Nikolic-Biryukov differential path is unlikely to yield 21- step collisions for SHA-512.
Abstract: Recently, at FSE '08, Nikolic and Biryukov introduced a new technique for analyzing SHA-2 round function. Building on their work, but using other differential paths, we construct two different deterministic attacks against 21-step SHA-2 hash family. Since the attacks are deterministic, they are actually combinatorial constructions of collisions. There are six free words in our first construction. This gives exactly 2192different collisions for 21-step SHA-256 and exactly 2384different collisions for 21-step SHA-512. The second construction has five free words. The best previous result, due to Nikolic and Biryukov, for finding collisions for 21-step SHA-256 holds with probability 2i¾? 19. No results on 21-step SHA-512 are previously known. Further, we provide evidence that the Nikolic-Biryukov differential path is unlikely to yield 21-step collisions for SHA-512.
Citations
More filters
Book ChapterDOI
04 Dec 2011
TL;DR: This paper presents the first automated tool for finding complex differential characteristics in SHA-2 and shows that the techniques on SHA-1 cannot directly be applied toSHA-2, and shows how to overcome difficulties by including the search for conforming message pairs in thesearch for differential characteristics.
Abstract: In this paper, we analyze the collision resistance of SHA-2 and provide the first results since the beginning of the NIST SHA-3 competition. We extend the previously best known semi-free-start collisions on SHA-256 from 24 to 32 (out of 64) steps and show a collision attack for 27 steps. All our attacks are practical and verified by colliding message pairs. We present the first automated tool for finding complex differential characteristics in SHA-2 and show that the techniques on SHA-1 cannot directly be applied to SHA-2. Due to the more complex structure of SHA-2 several new problems arise. Most importantly, a large amount of contradicting conditions occur which render most differential characteristics impossible. We show how to overcome these difficulties by including the search for conforming message pairs in the search for differential characteristics.

85 citations

Book ChapterDOI
14 Dec 2008
TL;DR: In this article, the authors presented new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08.
Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24-step SHA-256 attacks are respectively 211.5 and 228.5 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 216.5 and 232.5 calls. Using a look-up table having 232 (resp. 264) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 215.5 (resp. 222.5) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE '08. The reported computational efforts are 218 and 228.5 for 23 and 24-step SHA-256 respectively and 243.9 and 253 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

66 citations

Posted Content
TL;DR: New and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08 are provided.
Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP ’08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24step SHA-256 attacks are respectively 2 and 2 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 2 and 2 calls. Using a look-up table having 2 (resp. 2) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 2 (resp. 2) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE ’08. The reported computational efforts are 2 and 2 for 23 and 24-step SHA-256 respectively and 2 and 2 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

54 citations

Book
01 Jan 2007
TL;DR: A Secure Virtual Execution Environment for Untrusted Code and Security-Preserving Asymmetric Protocol Encapsulation are studied.
Abstract: Cryptanalysis - I.- Cryptanalysis of a Hash Function Proposed at ICISC 2006.- Cryptanalysis of Reduced Versions of the HIGHT Block Cipher from CHES 2006.- A Cryptanalysis of the Double-Round Quadratic Cryptosystem.- A Lightweight Privacy Preserving Authentication and Access Control Scheme for Ubiquitous Computing Environment.- Establishing RBAC-Based Secure Interoperability in Decentralized Multi-domain Environments.- Handling Dynamic Information Release.- Cryptanalysis - II.- Improving the Time Complexity of Matsui's Linear Cryptanalysis.- On Large Distributions for Linear Cryptanalysis.- Passive Attacks on a Class of Authentication Protocols for RFID.- Side Channel Attacks on Irregularly Decimated Generators.- Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module.- Filesystem Activity Following a SSH Compromise: An Empirical Study of File Sequences.- A Secure Virtual Execution Environment for Untrusted Code.- Liveness Detection of Fingerprint Based on Band-Selective Fourier Spectrum.- Improving Upon the TET Mode of Operation.- Hash Functions - I.- New Local Collisions for the SHA-2 Hash Family.- Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL.- Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4.- New Results on Impossible Differential Cryptanalysis of Reduced AES.- A Note About the Traceability Properties of Linear Codes.- Power Analysis Attacks on MDPL and DRSL Implementations.- Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier.- Generalized MMM-Algorithm Secure Against SPA, DPA, and RPA.- Pairing-Friendly Elliptic Curves with Small Security Loss by Cheon's Algorithm.- Hash Functions - II.- Analysis of Multivariate Hash Functions.- Colliding Message Pair for 53-Step HAS-160.- Weaknesses in the HAS-V Compression Function.- Security-Preserving Asymmetric Protocol Encapsulation.

49 citations

Dissertation
01 Nov 2012
TL;DR: This dissertation presents extensions to the Inductive Method for protocol verification in the Isabelle/HOL interactive theorem prover for electronic voting protocols and shows the approach to be generic enough to be re-usable on other protocols while maintaining a coherent line of reasoning.
Abstract: Security protocols are predefined sequences of message exchanges. Their uses over computer networks aim to provide certain guarantees to protocol participants. The sensitive nature of many applications resting on protocols encourages the use of formal methods to provide rigorous correctness proofs. This dissertation presents extensions to the Inductive Method for protocol verification in the Isabelle/HOL interactive theorem prover. The current state of the Inductive Method and of other protocol analysis techniques are reviewed. Protocol composition modelling in the Inductive Method is introduced and put in practice by holistically verifying the composition of a certification protocol with an authentication protocol. Unlike some existing approaches, we are not constrained by independence requirements or search space limitations. A special kind of identity-based signatures, auditable ones, are specified in the Inductive Method and integrated in an analysis of a recent ISO/IEC 9798-3 protocol. A side-by-side verification features both a version of the protocol with auditable identity-based signatures and a version with plain ones. The largest part of the thesis presents extensions for the verification of electronic voting protocols. Innovative specification and verification strategies are described. The crucial property of voter privacy, being the impossibility of knowing how a specific voter voted, is modelled as an unlinkability property between pieces of information. Unlinkability is then specified in the Inductive Method using novel message operators. An electronic voting protocol by Fujioka, Okamoto and Ohta is modelled in the Inductive Method. Its classic confidentiality properties are verified, followed by voter privacy. The approach is shown to be generic enough to be re-usable on other protocols while maintaining a coherent line of reasoning. We compare our work with the widespread process equivalence model and examine respective strengths.

9 citations

References
More filters
Book
01 Jan 2007
TL;DR: A Secure Virtual Execution Environment for Untrusted Code and Security-Preserving Asymmetric Protocol Encapsulation are studied.
Abstract: Cryptanalysis - I.- Cryptanalysis of a Hash Function Proposed at ICISC 2006.- Cryptanalysis of Reduced Versions of the HIGHT Block Cipher from CHES 2006.- A Cryptanalysis of the Double-Round Quadratic Cryptosystem.- A Lightweight Privacy Preserving Authentication and Access Control Scheme for Ubiquitous Computing Environment.- Establishing RBAC-Based Secure Interoperability in Decentralized Multi-domain Environments.- Handling Dynamic Information Release.- Cryptanalysis - II.- Improving the Time Complexity of Matsui's Linear Cryptanalysis.- On Large Distributions for Linear Cryptanalysis.- Passive Attacks on a Class of Authentication Protocols for RFID.- Side Channel Attacks on Irregularly Decimated Generators.- Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module.- Filesystem Activity Following a SSH Compromise: An Empirical Study of File Sequences.- A Secure Virtual Execution Environment for Untrusted Code.- Liveness Detection of Fingerprint Based on Band-Selective Fourier Spectrum.- Improving Upon the TET Mode of Operation.- Hash Functions - I.- New Local Collisions for the SHA-2 Hash Family.- Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL.- Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4.- New Results on Impossible Differential Cryptanalysis of Reduced AES.- A Note About the Traceability Properties of Linear Codes.- Power Analysis Attacks on MDPL and DRSL Implementations.- Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier.- Generalized MMM-Algorithm Secure Against SPA, DPA, and RPA.- Pairing-Friendly Elliptic Curves with Small Security Loss by Cheon's Algorithm.- Hash Functions - II.- Analysis of Multivariate Hash Functions.- Colliding Message Pair for 53-Step HAS-160.- Weaknesses in the HAS-V Compression Function.- Security-Preserving Asymmetric Protocol Encapsulation.

49 citations

Book ChapterDOI
29 Nov 2007
TL;DR: In this paper, the authors make a systematic study of local collisions for the SHA-2 family and identify certain impossible conditions for linear approximations of the constituent Boolean functions and compute the probabilities of the various differential paths.
Abstract: The starting point for collision attacks on practical hash functions is a local collision. In this paper, we make a systematic study of local collisions for the SHA-2 family. The possible linear approximations of the constituent Boolean functions are considered and certain impossible conditions for such approximations are identified. Based on appropriate approximations, we describe a general method for finding local collisions. Applying this method, we obtain several local collisions and compute the probabilities of the various differential paths. Previously, only one local collision due to Gilbert-Handschuh was known. We point out two impossible conditions in the GH local collision and provide an example of an impossible differential path for linearized SHA-2 using this local collision. Sixteen new local collisions are obtained none of which have any impossible conditions. The probabilities of these local collisions are a little less than the GH local collision. On the other hand, the absence of impossible conditions may make them more suitable for (reduced round) collision search attacks on the SHA-2 family.

17 citations

Posted Content
TL;DR: Nikolic and Biryukov as discussed by the authors presented a generalized nonlinear local collision which accepts an arbitrary initial message difference and showed that this local collision succeeds with probability 1, which is the best known result.
Abstract: Most of the attacks against (reduced) SHA-2 family in literature have used local collisions which are valid for linearized version of SHA-2 hash functions. Recently, at FSE ’08, an attack against reduced round SHA-256 was presented by Nikolic and Biryukov which used a local collision which is valid for the actual SHA-256 function. It is a 9-step local collision which starts by introducing a modular difference of 1 in the two messages. It succeeds with probability roughly 1/3. We build on the work of Nikolic and Biryukov and provide a generalized nonlinear local collision which accepts an arbitrary initial message difference. This local collision succeeds with probability 1. Using this local collision we present attacks against 18-step SHA256 and 18-step SHA-512 with arbitrary initial difference. Both of these attacks succeed with probability 1. We then present special cases of our local collision and show two different differential paths for attacking 20-step SHA-256 and 20-step SHA-512. One of these paths is the same as presented by Nikolic and Biryukov while the other one is a new differential path. Messages following both these differential paths can be found with probability 1. This improves on the previous result where the success probability of 20-step attack was 1/3. Finally, we present two differential paths for 21-step collisions for SHA-256 and SHA-512, one of which is a new path. The success probability of these paths for SHA-256 is roughly 2 and 2 which improves on the 21-step attack having probability 2 reported earlier. We show examples of message pairs following all the presented differential paths for up to 21-step collisions in SHA-256. We also show first real examples of colliding message pairs for up to 20-step reduced SHA-512.

17 citations

Book ChapterDOI
07 Jul 2008
TL;DR: This work builds on the work of Nikolic and Biryukov and provides a generalized nonlinear local collision which accepts an arbitrary initial message difference and presents first real examples of colliding message pairs for up to 20-step reduced SHA-512.
Abstract: Most of the attacks against (reduced) SHA-2 family in literature have used local collisions which are valid for linearized version of SHA-2 hash functions. Recently, at FSE '08, an attack against reduced round SHA-256 was presented by Nikolic and Biryukov which used a local collision which is valid for the actual SHA-256 function. It is a 9-step local collision which starts by introducing a modular difference of 1 in the two messages. It succeeds with probability roughly 1/3. We build on the work of Nikolic and Biryukov and provide a generalized nonlinear local collision which accepts an arbitrary initial message difference. This local collision succeeds with probability 1. Using this local collision we present attacks against 18-step SHA-256 and 18-step SHA-512 with arbitrary initial difference. Both of these attacks succeed with probability 1. We then present special cases of our local collision and show two different differential paths for attacking 20-step SHA-256 and 20-step SHA-512. One of these paths is the same as presented by Nikolic and Biryukov while the other one is a new differential path. Messages following both these differential paths can be found with probability 1. This improves on the previous result where the success probability of 20-step attack was 1/3. Finally, we present two differential paths for 21-step collisions for SHA-256 and SHA-512, one of which is a new path. The success probabilities of these paths for SHA-256 are roughly 2? 15and 2? 17which improve on the 21-step attack having probability 2? 19reported earlier. We show examples of message pairs following all the presented differential paths for up to 21-step collisions in SHA-256. We also show first real examples of colliding message pairs for up to 20-step reduced SHA-512.

15 citations


"Deterministic Constructions of 21-S..." refers methods in this paper

  • ...Linearized local collisions have been used in [3,4] and [ 7 ] to attack 18-step SHA-256....

    [...]

Book ChapterDOI
03 Jun 2008
TL;DR: In this paper, the authors presented a 19-step differential path for the SHA-256 hash function, which can be seen as a linearized local collision at the message word level.
Abstract: The SHA-256 hash function has started getting attention recently by the cryptanalysis community due to the various weaknesses found in its predecessors such as MD4, MD5, SHA-0 and SHA-1. We make two contributions in this work. First we describe message modification techniques and use them to obtain an algorithm to generate message pairs which collide for the actual SHA-256 reduced to 18 steps. Our second contribution is to present differential paths for 19, 20, 21, 22 and 23 steps of SHA-256. We construct parity check equations in a novel way to find these characteristics. Further, the 19-step differential path presented here is constructed by using only 15 local collisions, as against the previously known 19-step near collision differential path which consists of interleaving of 23 local collisions. Our 19-step differential path can also be seen as a single local collision at the message word level. We use a linearized local collision in this work. These results do not cause any threat to the security of the SHA-256 hash function.

14 citations