Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1
19 Aug 2009-pp 70-89
TL;DR: The newly developed cryptanalytic techniques enable the meet-in-the-middle attack to be applied to reduced SHA-0 and SHA-1 hash functions by analyzing a message schedule that does not consist of permutations but linear combinations of message words.
Abstract: Preimage resistance of several hash functions has already been broken by the meet-in-the-middle attacks and they utilize a property that their message schedules consist of only permutations of message words. It is unclear whether this type of attacks is applicable to a hash function whose message schedule does not consist of permutations of message words. This paper proposes new attacks against reduced SHA-0 and SHA-1 hash functions by analyzing a message schedule that does not consist of permutations but linear combinations of message words. The newly developed cryptanalytic techniques enable the meet-in-the-middle attack to be applied to reduced SHA-0 and SHA-1 hash functions. The attacks find preimages of SHA-0 and SHA-1 in 2156.6 and 2159.3 compression function computations up to 52 and 48 steps, respectively, compared to the brute-force attack, which requires 2160 compression function computations. The previous best attacks find preimages up to 49 and 44 steps, respectively.
Citations
More filters
04 Dec 2011
TL;DR: This paper presents the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: the first key recovery method for the full AES-128 with computational complexity 2126.1.4 and key recovery methods with lower complexity for the reduced-round versions of AES not considered before.
Abstract: Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results:
The first key recovery method for the full AES-128 with computational complexity 2126.1.
The first key recovery method for the full AES-192 with computational complexity 2189.7.
The first key recovery method for the full AES-256 with computational complexity 2254.4.
Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9.
Preimage search for compression functions based on the full AES versions faster than brute force.
In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.
543 citations
28 Sep 2011
TL;DR: Piccolo is one of the competitive ultra-lightweight blockciphers which is suitable for extremely constrained environments such as RFID tags and sensor nodes and its efficiency on the energy consumption which is evaluated by energy per bit is also remarkable.
Abstract: We propose a new 64-bit blockcipher Piccolo supporting 80 and 128-bit keys Adopting several novel design and implementation techniques, Piccolo achieves both high security and notably compact implementation in hardware We show that Piccolo offers a sufficient security level against known analyses including recent related-key differential attacks and meet-in-the-middle attacks In our smallest implementation, the hardware requirements for the 80 and the 128-bit key mode are only 683 and 758 gate equivalents, respectively Moreover, Piccolo requires only 60 additional gate equivalents to support the decryption function due to its involution structure Furthermore, its efficiency on the energy consumption which is evaluated by energy per bit is also remarkable Thus, Piccolo is one of the competitive ultra-lightweight blockciphers which are suitable for extremely constrained environments such as RFID tags and sensor nodes
457 citations
19 Aug 2013
TL;DR: A new block cipher LEA, which has 128-bit block size and 128, 192, or 256-bit key size is proposed, which provides a high-speed software encryption on general-purpose processors and is secure against all the existing attacks on block ciphers.
Abstract: We propose a new block cipher LEA, which has 128-bit block size and 128, 192, or 256-bit key size. It provides a high-speed software encryption on general-purpose processors. Our experiments show that LEA is faster than AES on Intel, AMD, ARM, and ColdFire platforms. LEA can be also implemented to have tiny code size. Its hardware implementation has a competitive throughput per area. It is secure against all the existing attacks on block ciphers.
193 citations
26 May 2013
TL;DR: This paper revisits meet-in-the-middle attacks on AES in the single-key model and improves on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010 and describes the best attack on 7 rounds of AES-128 where data/time/memory complexities are below 2100.
Abstract: In this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010. We present the best attack on 7 rounds of AES-128 where data/time/memory complexities are below 2100. Moreover, we are able to extend the number of rounds to reach attacks on 8 rounds for both AES-192 and AES-256. This gives the best attacks on those two versions with a data complexity of 2107 chosen-plaintexts, a memory complexity of 296 and a time complexity of 2172 for AES-192 and 2196 for AES-256. Finally, we also describe the best attack on 9 rounds of AES-256 with 2120 chosen plaintexts and time and memory complexities of 2203. All these attacks have been found by carefully studying the number of reachable multisets in Dunkelman et al. attacks.
160 citations
19 Mar 2012
TL;DR: The concept of biclique as a tool for preimage attacks was introduced in this paper, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions.
Abstract: We present a new concept of biclique as a tool for preimage attacks, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions.
The new tool has proved to be widely applicable by inspiring many authors to publish new results of the full versions of AES, KASUMI, IDEA, and Square. In this paper, we show how our concept leads to the first cryptanalysis of the round-reduced Skein hash function, and describe an attack on the SHA-2 hash function with more rounds than before.
128 citations
References
More filters
Book•
01 Jan 1996TL;DR: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols.
Abstract: From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.
13,597 citations
22 May 2005
TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.
Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.
1,583 citations
Book•
01 Jan 2001
TL;DR: Simplified variants that omit a quadratic function and a fixed rotation in RC6 are examined to clarify their essential contribution to the overall security of RC6.
Abstract: RC6 has been submitted as a candidate for the Advanced Encryption Standard (AES). Two important features of RC6 that were absent from its predecessor RC5 are a quadratic function and a fixed rotation. By examining simplified variants that omit these features we clarify their essential contribution to the overall security of RC6.
1,487 citations