scispace - formally typeset
Search or ask a question
Book ChapterDOI

Efficient collision search attacks on SHA-0

14 Aug 2005-pp 1-16
TL;DR: Using the new techniques, this paper can find collisions of the full 80-step SHA-0 with complexity less than 239 hash operations.
Abstract: In this paper, we present new techniques for collision search in the hash function SHA-0. Using the new techniques, we can find collisions of the full 80-step SHA-0 with complexity less than 239 hash operations.

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI
14 Aug 2005
TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.
Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.

1,600 citations

Book ChapterDOI
14 Aug 2011
TL;DR: The PHOTON lightweight hash function as mentioned in this paper uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation to obtain the most compact hash function known, reaching areas very close to the theoretical optimum.
Abstract: RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hash-function family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64-bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AES-like bounds on the number of active Sboxes. This kind of AES-like primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting trade-offs between speed and preimage security for small messages, the classical use-case in hardware.

426 citations

Book ChapterDOI
19 Aug 2007
TL;DR: Constrained chosen-ciphertext security is a new security notion for KEMs that has a very constructive appeal and is demonstrated with a new encryption scheme whose security relies on a class of intractability assumptions strictly weaker than the Decision Diffie-Hellman assumption.
Abstract: We put forward a new paradigm for building hybrid encryption schemes from constrained chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosen-ciphertext security is a new security notion for KEMs that we propose. It has less demanding security requirements than standard CCCA security (since it requires the adversary to have a certain plaintext-knowledge when making a decapsulation query) yet we can prove that it is CCCA sufficient for secure hybrid encryption. Our notion is not only useful to express the Kurosawa-Desmedt public-key encryption scheme and its generalizations to hash-proof systems in an abstract KEM/DEM security framework. It also has a very constructive appeal, which we demonstrate with a new encryption scheme whose security relies on a class of intractability assumptions that we show (in the generic group model) strictly weaker than the Decision Diffie-Hellman (DDH) assumption. This appears to be the first practical public-key encryption scheme in the literature from an algebraic assumption strictly weaker than DDH.

305 citations


Cites methods from "Efficient collision search attacks ..."

  • ...So as long as one does not want to sacrifice provable security by implementing the TCR function with a dedicated hash function like SHA-x or MD5 (what potentially renders the whole scheme insecure given the recent progress in attacking certain hash functions [38, 39]), one must either resort to inefficient generic constructions of TCR functions [25, 33], or one can use the “hash-free technique” described in [14]....

    [...]

Book ChapterDOI
03 Dec 2006
TL;DR: A method to search for characteristics in an automatic way for multi-block attacks, and as a proof of concept, gives a two-block collision for 64-step SHA-1 based on a new characteristic.
Abstract: The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.

286 citations


Cites background from "Efficient collision search attacks ..."

  • ...[20, 22] describe further major improvements....

    [...]

  • ...In [20, 22], examples for NL-characteristics are given which connect to a previously selected L-characteristic in the first block....

    [...]

Posted Content
TL;DR: Constrained chosen-ciphertext security (CCCA) is a new security notion for KEMs that was proposed in this paper, where the authors showed that CCCA is sufficient for secure hybrid encryption.
Abstract: We put forward a new paradigm for building hybrid encryption schemes from constrained chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosen-ciphertext security is a new security notion for KEMs that we propose. CCCA has less demanding security requirements than standard chosen-ciphertext (CCA) security (since it requires the adversary to have a certain plaintextknowledge when making a decapsulation query) yet we can prove that CCCA is sufficient for secure hybrid encryption. Our notion is not only useful to express the Kurosawa-Desmedt public-key encryption scheme and its generalizations to hash-proof systems in an abstract KEM/DEM security framework. It also has a very constructive appeal, which we demonstrate with a new encryption scheme whose security relies on a class of intractability assumptions that we show (in the generic group model) strictly weaker than the Decision Diffie-Hellman (DDH) assumption. This appears to be the first practical public-key encryption scheme in the literature from an algebraic assumption strictly weaker than DDH.

239 citations

References
More filters
Book ChapterDOI
14 Aug 2005
TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.
Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.

1,600 citations

Book ChapterDOI
22 May 2005
TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.
Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

1,583 citations


"Efficient collision search attacks ..." refers background or methods in this paper

  • ...The advanced modification techniques, however, do not seem to be directly applied to SHA-0 as in the cases of MD4, HAVAL-128 and MD5 etc....

    [...]

  • ...For MD5, the conditions are very concentrated in steps 17 and 18, while for SHA-0 the conditions are spread out due to the local collisions....

    [...]

  • ...Given the neutral bit techniques [1] which already allow the bypass of the first 22 steps, the modification techniques, as they were used in MD5, are difficult to offer additional improvements over the best existing attacks on SHA-0....

    [...]

  • ...In Section 4, we review the “message modification techniques” presented in [11,12,13] to break HAVA-128, MD5, MD4 and RIPEMD, and consider their effectiveness in improving existing attacks on SHA-0....

    [...]

  • ...Message modification techniques have been introduced in attacking HAVAL-128, MD5, MD4, RIPEMD [11,12,13] and SHA-0 [15] (not gave the precise description in [15])....

    [...]

BookDOI
01 Jan 2005

979 citations

Journal Article
TL;DR: This paper discusses Cryptography in High Dimensional Tori, a Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers, and reducing Complexity Assumptions for Statistically-Hiding Commitment.

965 citations

BookDOI
01 Jan 2004
TL;DR: A formal statistical framework for block cipher attacks based on this technique is developed and explicit and compact gain formulas for generalized versions of Matsui’s Algorithm 1 and Algorithm 2 are derived.
Abstract: In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui’s Algorithm 1 and Algorithm 2. The theoretical framework allows both approaches to be treated in a unified way, and predicts significantly improved attack complexities compared to current linear attacks using a single approximation. In order to substantiate the theoretical claims, we benchmarked the attacks against reduced-round versions of DES and observed a clear reduction of the data and time complexities, in almost perfect correspondence with the predictions. The complexities are reduced by several orders of magnitude for Algorithm 1, and the significant improvement in the case of Algorithm 2 suggests that this approach may outperform the currently best attacks on the full DES algorithm.

759 citations