Finding collisions in the full SHA-1
14 Aug 2005-pp 17-36
TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.
Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.
Citations
More filters
04 Dec 2011
TL;DR: This paper presents the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: the first key recovery method for the full AES-128 with computational complexity 2126.1.4 and key recovery methods with lower complexity for the reduced-round versions of AES not considered before.
Abstract: Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results:
The first key recovery method for the full AES-128 with computational complexity 2126.1.
The first key recovery method for the full AES-192 with computational complexity 2189.7.
The first key recovery method for the full AES-256 with computational complexity 2254.4.
Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9.
Preimage search for compression functions based on the full AES versions faster than brute force.
In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.
543 citations
TL;DR: Charm as discussed by the authors is an extensible framework for rapidly prototyping cryptographic systems, including support for modular composition of cryptographic building blocks, infrastructure for developing interactive protocols, and an extensive library of re-usable code.
Abstract: We describe Charm, an extensible framework for rapidly prototyping cryptographic systems. Charm provides a number of features that explicitly support the development of new protocols, including support for modular composition of cryptographic building blocks, infrastructure for developing interactive protocols, and an extensive library of re-usable code. Our framework also provides a series of specialized tools that enable different cryptosystems to interoperate. We implemented over 40 cryptographic schemes using Charm, including some new ones that, to our knowledge, have never been built in practice. This paper describes our modular architecture, which includes a built-in benchmarking module to compare the performance of Charm primitives to existing C implementations. We show that in many cases our techniques result in an order of magnitude decrease in code size, while inducing an acceptable performance impact. Lastly, the Charm framework is freely available to the research community and to date, we have developed a large, active user base.
495 citations
14 Aug 2005
TL;DR: Using the new techniques, this paper can find collisions of the full 80-step SHA-0 with complexity less than 239 hash operations.
Abstract: In this paper, we present new techniques for collision search in the hash function SHA-0. Using the new techniques, we can find collisions of the full 80-step SHA-0 with complexity less than 239 hash operations.
450 citations
14 Aug 2011
TL;DR: The PHOTON lightweight hash function as mentioned in this paper uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation to obtain the most compact hash function known, reaching areas very close to the theoretical optimum.
Abstract: RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hash-function family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64-bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AES-like bounds on the number of active Sboxes. This kind of AES-like primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting trade-offs between speed and preimage security for small messages, the classical use-case in hardware.
426 citations
20 Oct 2005
TL;DR: Pioneer is a primitive, called Pioneer, that can be used as a basic building block to build security systems and is demonstrated by building a kernel rootkit detector.
Abstract: We propose a primitive, called Pioneer, as a first step towards verifiable code execution on untrusted legacy hosts. Pioneer does not require any hardware support such as secure co-processors or CPU-architecture extensions. We implement Pioneer on an Intel Pentium IV Xeon processor. Pioneer can be used as a basic building block to build security systems. We demonstrate this by building a kernel rootkit detector.
358 citations
Cites background from "Finding collisions in the full SHA-..."
...The collision resistance property of SHA-1 has been compromised [25]....
[...]
References
More filters
22 May 2005
TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.
Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.
1,583 citations
"Finding collisions in the full SHA-..." refers background or methods in this paper
...For example, applying the new technique of combining near-collision paths into a collision path, we can improve the successful probability of the attack on MD5 from 2−37 to 2−32....
[...]
...In particular, our analysis is built upon the original differential attack on SHA-0 [14], the near collision attack on SHA-0 [1], the multi-block collision techniques [12], as well as the message modification techniques used in the collision search attacks on HAVAL-128, MD4, RIPEMD and MD5 [11,13,12]....
[...]
...For MD5 [12], the complexity of finding the first block near-collision is higher than those of the second block near-collision because of the determination for the bit-difference positions and signs in the last several steps....
[...]
...Some strategies of the attack can be utilized to further improve the attacks on MD5 and SHA-0 etc....
[...]
...Using the idea of multi-block collisions in [7,2,3,12], we can construct two-block collisions using near collisions....
[...]
Journal Article•
TL;DR: This paper discusses Cryptography in High Dimensional Tori, a Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers, and reducing Complexity Assumptions for Statistically-Hiding Commitment.
965 citations
01 Jan 2004
TL;DR: A formal statistical framework for block cipher attacks based on this technique is developed and explicit and compact gain formulas for generalized versions of Matsui’s Algorithm 1 and Algorithm 2 are derived.
Abstract: In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui’s Algorithm 1 and Algorithm 2. The theoretical framework allows both approaches to be treated in a unified way, and predicts significantly improved attack complexities compared to current linear attacks using a single approximation. In order to substantiate the theoretical claims, we benchmarked the attacks against reduced-round versions of DES and observed a clear reduction of the data and time complexities, in almost perfect correspondence with the predictions. The complexities are reduced by several orders of magnitude for Algorithm 1, and the significant improvement in the case of Algorithm 2 suggests that this approach may outperform the currently best attacks on the full DES algorithm.
759 citations