Showing papers on "Collision attack published in 2004"
15 Aug 2004
TL;DR: It is shown that finding multicollisions, i.e. r-tuples of messages that all hash to the same value, is not much harder than finding ordinary collisions, even for extremely large values of r, and it is proved that concatenating the results of several iterated hash functions in order to build a larger one does not yield a secure construction.
Abstract: In this paper, we study the existence of multicollisions in iterated hash functions. We show that finding multicollisions, i.e. r-tuples of messages that all hash to the same value, is not much harder than finding ordinary collisions, i.e. pairs of messages, even for extremely large values of r. More precisely, the ratio of the complexities of the attacks is approximately equal to the logarithm of r. Then, using large multicollisions as a tool, we solve a long standing open problem and prove that concatenating the results of several iterated hash functions in order to build a larger one does not yield a secure construction. We also discuss the potential impact of our attack on several published schemes. Quite surprisingly, for subtle reasons, the schemes we study happen to be immune to our attack.
451 citations
Posted Content•
TL;DR: In 1993 Bert den Boer and Antoon Bosselaers found pseudo-collision for MD5 which is made of the same message with two different sets of initial value.
Abstract: MD5 is the hash function designed by Ron Rivest [9] as a strengthened version of MD4[8]. In 1993 Bert den Boer and Antoon Bosselaers [1] found pseudo-collision for MD5 which is made of the same message with two different sets of initial value. H. Dobbertin[3] found another kind of collision which consists of two different 512-bit messages with a chosen initial value I
406 citations
05 Feb 2004
TL;DR: In this paper, the authors consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance and give seven different definitions that correspond to these three underlying ideas, and then work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework.
Abstract: We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance. We give seven different definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework. Because our results are concrete, we can show two types of implications, conventional and provisional, where the strength of the latter depends on the amount of compression achieved by the hash function. We also distinguish two types of separations, conditional and unconditional. When constructing counterexamples for our separations, we are careful to preserve specified hash-function domains and ranges; this rules out some pathological counterexamples and makes the separations more meaningful in practice. Four of our definitions are standard while three appear to be new; some of our relations and separations have appeared, others have not. Here we give a modern treatment that acts to catalog, in one place and with carefully-considered nomenclature, the most basic security notions for cryptographic hash functions.
374 citations
Journal Article•
TL;DR: In this article, the security of SHA-256, SHA-384 and SHA-512 against collision attacks was studied. But the authors concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks also don't apply on the underlying structure.
Abstract: This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak : whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.
226 citations
Journal Article•
TL;DR: In this article, a new combined analytical and side channel approach was proposed to reduce the attack effort compared to all other known side channel attacks, which is a distinct improvement compared to DPA and other side-channel attacks.
Abstract: Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.
140 citations
02 Dec 2004
TL;DR: New double-block-length hash functions with higher rates are presented which are also optimally collision resistant in the black-box model and are composed of block ciphers whose key length is twice larger than their block length.
Abstract: In CRYPTO’89, Merkle presented three double-block-length hash functions based on DES. They are optimally collision resistant in a black-box model, that is, the time complexity of any collision-finding algorithm for them is Ω(2l/2) if DES is a random block cipher, where l is the output length. Their drawback is that their rates are low. In this article, new double-block-length hash functions with higher rates are presented which are also optimally collision resistant in the black-box model. They are composed of block ciphers whose key length is twice larger than their block length.
103 citations
Proceedings Article•
01 Jan 2004
TL;DR: In this article, a new combined analytical and side channel approach was proposed to reduce the attack effort compared to all other known side channel attacks, which is a distinct improvement compared to DPA and other side-channel attacks.
Abstract: Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an exam- ple, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.
96 citations
11 Aug 2004
TL;DR: A collision attack against AES which combines internal collisions with side channel information leakage and the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks.
Abstract: Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.
88 citations
TL;DR: Based on one-way hash functions, an efficient key assignment and derivation method is proposed that uses limited number of keys and hash functions to solve the access control problem in a hierarchy.
49 citations
11 Aug 2004
TL;DR: In the last 5 years, side channel attacks (SCA) have received a huge interest in the last five years as mentioned in this paper, and these new methods consider non-cryptographic sources of information (like timing or power consumption) in addition to traditional techniques.
Abstract: Side Channel Attacks (SCA) have received a huge interest in the last 5 years. These new methods consider non-cryptographic sources of information (like timing or power consumption) in addition to traditional techniques. Consequently block ciphers must now resist a variety of SCAs, among which figures the class of “collision attacks”. This recent technique combines side channel information with tools originally developed for block cipher or hash function cryptanalysis, like differential cryptanalysis for instance.
46 citations
Posted Content•
TL;DR: This work presents a cryptanalysis of a provably secure cryptographic hash function proposed by Augot, Finiasz and Sendrier, and it is practical for two of the three proposed parameters.
Abstract: We present a cryptanalysis of a provably secure cryptographic hash function proposed by Augot, Finiasz and Sendrier in [1] Our attack is a variant of Wagner’s generalized birthday attack It is significantly faster than the attack considered in [1], and it is practical for two of the three proposed parameters
09 Aug 2004
TL;DR: It is proved that the 4-round primitive-wise idealized Camellia is not pseudorandom permutation and the 5-round prim-wise Idealized CameLLia is super-pseudorandompermutation for non-adaptive adversaries.
Abstract: Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and random permutation of the blocks space. By using collision-searching techniques, the distinguishers are used to attack 6,7,8 and 9 rounds of Camellia with 128-bit key and 8,9 and 10 rounds of Camellia with 192/256-bit key. The attack on 6-round of 128-bit key Camellia is more efficient than known attacks. The complexities of the attack on 7(8,9,10)-round Camellia without FL /FL−−1 functions are less than that of previous attacks. Furthermore, we prove that the 4-round primitive-wise idealized Camellia is not pseudorandom permutation and the 5-round primitive-wise idealized Camellia is super-pseudorandom permutation for non-adaptive adversaries.
05 Dec 2004
TL;DR: It is shown that MD2 does not reach the ideal security level of 2128, and the full MD2 hash can be attacked in preimage with complexity of 2104.
Abstract: MD2 is an early hash function developed by Ron Rivest for RSA Security, that produces message digests of 128 bits. In this paper, we show that MD2 does not reach the ideal security level of 2128. We describe preimage attacks against the underlying compression function, the best of which has complexity of 273. As a result, the full MD2 hash can be attacked in preimage with complexity of 2104.
Journal Article•
TL;DR: In this article, the existence of multicollisions in iterated hash functions has been studied and it is shown that the complexity of the attacks is approximately equal to the logarithm of the number of collisions.
Abstract: In this paper, we study the existence of multicollisions in iterated hash functions. We show that finding multicollisions, i.e. r-tuples of messages that all hash to the same value, is not much harder than finding ordinary collisions, i.e. pairs of messages, even for extremely large values of r. More precisely, the ratio of the complexities of the attacks is approximately equal to the logarithm of r. Then, using large multicollisions as a tool, we solve a long standing open problem and prove that concatenating the results of several iterated hash functions in order to build a larger one does not yield a secure construction. We also discuss the potential impact of our attack on several published schemes. Quite surprisingly, for subtle reasons, the schemes we study happen to be immune to our attack.
TL;DR: This paper proposes a more secure hash-based strong-password authentication scheme without using smart cards, and shows that Lin-Shen-Hwang's scheme suffers from a replay attack and a denial-of-service attack.
Abstract: So far, many strong-password authentication schemes have been proposed, however, none is secure enough. In 2003, Lin, Shen, and Hwang proposed a strong-password authentication scheme using smart cards, and claimed that their scheme can resist the guessing attack, the replay attack, the impersonation attack, and the stolen-verifier attack. Later, Ku, Tsai, and Chen showed that Lin-Shen-Hwang's scheme suffers from a replay attack and a denial-of-service attack. Herein, we propose a more secure hash-based strong-password authentication scheme without using smart cards.
Journal Article•
TL;DR: The SecurID hash function is used for authenticating users to a corporate computer infrastructure as mentioned in this paper, however, it can be broken in few milliseconds on a PC With 70 adaptively chosen plaintexts.
Abstract: The SecurID hash function is used for authenticating users to a corporate computer infrastructure. We analyse an alleged implementation of this hash function. The block cipher at the heart of the function can be broken in few milliseconds on a PC With 70 adaptively chosen plaintexts. The 64-bit secret key of 10% of the cards can be discovered given two months of token outputs and 2 48 analysis steps. A larger fraction of cards can be covered given more observation time.
Journal Article•
TL;DR: In this paper, the concept of universal one-way hash functions (UOWHFs) was generalized to UOWHF of order r, and it was shown that it is possible to construct UOWF with much shorter keys than existing constructions from fixed-size UOWFHs.
Abstract: Universal One-Way Hash Functions (UOWHFs) are families of cryptographic hash functions for which first a target input is chosen and subsequently a key which selects a member from the family. Their main security property is that it should be hard to find a second input that collides with the target input. This paper generalizes the concept of UOWHFs to UOWHFs of order r. We demonstrate that it is possible to build UOWHFs with much shorter keys than existing constructions from fixed-size UOWHFs of order r. UOWHFs of order r can be used both in the linear (r + 1)-round Merkle-Damgard construction and in a tree construction.
Patent•
09 Feb 2004TL;DR: In this paper, a family of graphs that have relatively large girth, large claw, and/or rapid mixing properties are described for construction of cryptographic primitives such as collision resistant hash functions and stream ciphers, which allow efficient software implementation.
Abstract: Techniques are disclosed to enable efficient implementation of secure hash functions and/or stream ciphers. More specifically, a family of graphs is described that has relatively large girth, large claw, and/or rapid mixing properties. The graphs are suitable for construction of cryptographic primitives such as collision resistant hash functions and stream ciphers, which allow efficient software implementation.
05 Dec 2004
TL;DR: A new power analysis attack against DES is introduced based on the well known Davies-Murphy attack, which takes advantage of non-uniform output distributions for two adjacent S-boxes to obtain one bit of information about the key.
Abstract: In this paper, we introduce a new power analysis attack against DES. It is based on the well known Davies-Murphy attack. As for the original attack, we take advantage of non-uniform output distributions for two adjacent S-boxes. We show how to detect these biased distributions by power analysis on any DES inner round and thus obtain one bit of information about the key.
05 Feb 2004
TL;DR: Biryukov, Lano, and Preneel as mentioned in this paper showed that vanishing differentials occur quite frequently, and that such differentials allow an attacker to recover the secret key in the token much faster than exhaustive search.
Abstract: SecurID is a widely used hardware token for strengthening authentication in a corporate environment. Recently, Biryukov, Lano, and Preneel presented an attack on the alleged SecurID hash function [1]. They showed that vanishing differentials – collisions of the hash function – occur quite frequently, and that such differentials allow an attacker to recover the secret key in the token much faster than exhaustive search. Based on simulation results, they estimated that the running time of their attack would be about 248 full hash operations when using only a single 2-bit vanishing differential.
Journal Article•
TL;DR: It is shown that the weak collision resistance of the iterated hash function in NMAC is not implied by the pseudorandomness of its compression function even if the MD-strengthening is assumed.
Abstract: SUMMARY NMAC is a function for message authentication based on cryptographic hash functions such as SHA. It is shown to be a secure message authentication code if its compression function with fixed input length is a secure message authentication code and its iterated hash function with variable input length constructed with the compression function is weakly collision resistant. In this article, two results are shown on the strength of the weak collision resistance of the iterated hash function in NMAC. First, it is shown that the weak collision resistance of the iterated hash function in NMAC is not implied by the pseudorandomness of its compression function even if the MD-strengthening is assumed. Second, the weak collision resistance of the iterated hash function in NMAC implies the collision resistance of its compression function if the compression function is pseudo
15 Aug 2004
TL;DR: This paper proposes a solution to this challenge - the general hash chain construction, which makes general hash chains quite strong, given the size constraints on their domains and ranges.
Abstract: Sensors and other small devices that periodically transmit relatively small packets of information motivate the study of hash chains with small domains and ranges. Hash chain based protocols work using deferred disclosure and it is often assumed their hash functions are one-way, hence essentially unbreakable. However small domains and ranges make hash functions much weaker. If a deterministic hash function?s domain and range are the same and both are very small, then it may not be possible for the hash function to be one-way. In fact, hash chains will size-constrained domains and ranges are likely to cycle quickly. This paper proposes a solution to this challenge - the general hash chain construction. A general hash chain uses several subsequent hash elements at once as input to produce each output hash element. General hash chains have the following properties: (1) repeated hash elements do not necessarily indicate cycles in the hash chain, (2) subsequent elements of these hash chains do not have exponentially diminishing ranges. This makes general hash chains quite strong, given the size constraints on their domains and ranges.
13 Jul 2004
TL;DR: In this article, it was proved that PGV-hash functions are collision resistant and one-way secure in a black-box model of the underlying block cipher and that all these 42 hash families have tight upper and lower bounds on (target) collision-resistant and oneway-ness.
Abstract: In [1] it was proved that 20 out of 64 PGV-hash functions [2] based on block cipher are collision resistant and one-way-secure in black-box model of the underlying block cipher. Here, we generalize the definition of PGV-hash function into a hash family and prove that besides the previous 20 hash functions we have 22 more collision resistant and one-way secure hash families. As all these 42 families are keyed hash families, these become target collision resistant also. All these 42 hash families have tight upper and lower bounds on (target) collision resistant and one-way-ness.
Posted Content•
TL;DR: This work provides a mathematical framework for the study of cryptographic hash functions, which enable us to give proofs for some prevailing beliefs in relation to the amount of uniformity in the hash function outcomes.
Abstract: In this paper we focus on the three basic security requirements for a cryptographic hash function, commonly referred as preimage, second preimage and collision resistance. We examine these security requirements in the case of attacks which do not take advantage on how the hash function is computed, expressing them as success probabilities of suitable randomized algorithms. We give exact mathematical expressions for such resistance indices, and obtain their functional behaviour in relation to the amount of uniformity in the hash function outcomes. Our work provides a mathematical framework for the study of cryptographic hash functions, which enable us to give proofs for some prevailing beliefs.
Journal Article•
TL;DR: In this article, an improvement of the square hash function family proposed by Etzel et al. is presented. But the size of keys is much shorter while the collision probability is slightly larger, and most of the main techniques used to optimize the original square hash functions work on their variants.
Abstract: This paper shows an improvement of square hash function family proposed by Etzel et al. [5]. In the new variants, the size of keys is much shorter while the collision probability is slightly larger. Most of the main techniques used to optimize the original square hash functions work on our variants as well. The proposed algorithms are applicable to fast and secure message authentication.
Journal Article•
TL;DR: In this paper, it was shown that the MD2 hash function does not reach the ideal security level of 2 128 bits and can be attacked in preimage with complexity of 2 104.
Abstract: MD2 is an early hash function developed by Ron Rivest for RSA Security, that produces message digests of 128 bits. In this paper, we show that MD2 does not reach the ideal security level of 2 128 . We describe preimage attacks against the underlying compression function, the best of which has complexity of 2 73 . As a result, the full MD2 hash can be attacked in preimage with complexity of 2 104 .
11 Oct 2004
TL;DR: This paper extends Naor's scheme of dynamic hash tree in order to optimize performance and can adjust traffic between CA-to-directory and directory- to-user according to certificate update rate and query rate in applications, thus can remarkably reduce overall traffic consumed for certificate revocation.
Abstract: Certificate revocation is an outstanding problem in PKI. This paper extends Naor's scheme of dynamic hash tree in order to optimize performance. Set of revoked certificates is divided into groups. In each group, proofs for certificate status are computed by using one-way accumulator, while all groups are still organized in hash tree. The main advantage of the proposed scheme is that it can adjust traffic between CA-to-directory and directory-to-user according to certificate update rate and query rate in applications, thus can remarkably reduce overall traffic consumed for certificate revocation, and can efficiently accommodate a wide range of scenarios. Compared with Naor's origin scheme, performance analysis shows it can reduce traffic by about 50% in typical environments.
Posted Content•
TL;DR: In this article, the security of SHA-0 variants is analyzed against the Chabaud-Joux attack proposed in CRYPTO 1998, and the analysis shows that all the variants could be collision-attacked by using near-collisions as a tool and thus the replacement of the primitive polynomial is not a proper way to make SHA0 secure.
Abstract: SHA-0 employs a primitive polynomial of degree 16 over GF(2) in its message schedule. There are 2048 primitive polynomials of degree 16 over GF(2). For each primitive polynomial, a SHA-0 variant can be constructed. In this paper, the security of 2048 variants is analyzed against the Chabaud-Joux attack proposed in CRYPTO’98. The analysis shows that all the variants could be collision-attacked by using near-collisions as a tool and thus the replacement of the primitive polynomial is not a proper way to make SHA-0 secure. However, it is shown that the selection of the variants highly affects the complexity of the attack. Furthermore, a collision in the most vulnerable variant is presented. It is obtained by the original Chabaud-Joux attack without any improvements.