Finding Bugs in Cryptographic Hash Function Implementations
Reads0
Chats0
TLDR
This work revisits the National Institute of Standards and Technology hash function competition, which was used to develop the SHA-3 standard, and applies a new testing strategy to all available reference implementations, and develops four tests motivated by the cryptographic properties that a hash function should satisfy.Abstract:
Cryptographic hash functions are security-critical algorithms with many practical applications, notably in digital signatures. Developing an approach to test them can be particularly difficult, and bugs can remain unnoticed for many years. We revisit the National Institute of Standards and Technology hash function competition, which was used to develop the SHA-3 standard, and apply a new testing strategy to all available reference implementations. Motivated by the cryptographic properties that a hash function should satisfy, we develop four tests. The Bit-Contribution Test checks if changes in the message affect the hash value, and the Bit-Exclusion Test checks that changes beyond the last message bit leave the hash value unchanged. We develop the Update Test to verify that messages are processed correctly in chunks, and then use combinatorial testing methods to reduce the test set size by several orders of magnitude while retaining the same fault-detection capability. Our tests detect bugs in 41 of the 86 reference implementations submitted to the SHA-3 competition, including the rediscovery of a bug in all submitted implementations of the SHA-3 finalist BLAKE. This bug remained undiscovered for seven years, and is particularly serious because it provides a simple strategy to modify the message without changing the hash value returned by the implementation. We detect these bugs using a fully automated testing approach.read more
Citations
More filters
Journal ArticleDOI
Metamorphic Relations for Enhancing System Understanding and Use
TL;DR: Empirical studies reveal previously unknown failures in some of the most popular applications in the world, and show how the proposed approach can help users to better understand and better use the systems.
Journal ArticleDOI
A Deep Hashing Technique for Remote Sensing Image-Sound Retrieval
Yaxiong Chen,Xiaoqiang Lu +1 more
TL;DR: This work proposes a new, deep, cross-modal RS image-sound hashing approach, called deep triplet-based hashing (DTBH), to integrate hash code learning and relative semantic similarity relationship learning into an end-to-end network.
Proceedings ArticleDOI
Metamorphic Testing for Machine Translations: MT4MT
Zhi Quan Zhou,Liqun Sun +1 more
TL;DR: Preliminary experimental results that reveal quality issues of English-to-Chinese translations in two mainstream machine translation services: Google Translate and Microsoft Translator demonstrate the usefulness and potential of metamorphic testing for applications in the natural language processing domain.
ReportDOI
Applied and Computational Mathematics Division:: summary of activities for fiscal year 2019
Journal ArticleDOI
Metamorphic Robustness Testing: Exposing Hidden Defects in Citation Statistics and Journal Impact Factors
TL;DR: It is reported that the inclusion of hyphens in paper titles impedes citation counts, and that this is a result of the lack of robustness of the citation database systems in handling hyphenated paper titles.
References
More filters
Book ChapterDOI
Finding collisions in the full SHA-1
TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.
Book ChapterDOI
How to break MD5 and other hash functions
Xiaoyun Wang,Hongbo Yu +1 more
TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.
Journal ArticleDOI
Software unit test coverage and adequacy
TL;DR: The notion of adequacy criteria is examined together with its role in software dynamic testing and the methods for comparison and assessment of criteria are reviewed.
ReportDOI
SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
TL;DR: This Standard specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data, which is based on an instance of the KECCAK algorithm that NIST selected as the winner of the SHA-3 Cryptographic Hash Al algorithm Competition.
Journal ArticleDOI
The advanced encryption standard
TL;DR: The Advanced Encryption Standard (AES), which has been approved after an international competition by the National Institute of Standards and Technology, is described.