Showing papers on "Collision attack published in 2006"
28 May 2006
TL;DR: A new attack on Damgard-Merkle hash functions is developed, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of amessage to that hash value by the choice of an appropriate suffix.
Abstract: In this paper, we develop a new attack on Damgard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damgard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value.
225 citations
IBM1
TL;DR: The goal is to free practical digital signature schemes from their current reliance on strong collision resistance by basing the security of these schemes on significantly weaker properties of the underlying hash function, thus providing a safety net in case the hashes in use turn out to be less resilient to collision search than initially thought.
Abstract: We propose randomized hashing as a mode of operation for cryptographic hash functions intended for use with standard digital signatures and without necessitating of any changes in the internals of the underlying hash function (eg, the SHA family) or in the signature algorithms (eg, RSA or DSA) The goal is to free practical digital signature schemes from their current reliance on strong collision resistance by basing the security of these schemes on significantly weaker properties of the underlying hash function, thus providing a safety net in case the (current or future) hash functions in use turn out to be less resilient to collision search than initially thought
We design a specific mode of operation that takes into account engineering considerations (such as simplicity, efficiency and compatibility with existing implementations) as well as analytical soundness Specifically, the scheme consists of a regular use of the hash function with randomization applied only to the message before it is input to the hash function We formally show the sufficiency of weaker than collision-resistance assumptions for proving the security of the scheme
187 citations
15 Mar 2006
TL;DR: In this paper, it was shown that collision-finding attack on hash functions is at most as efficient as the birthday attack in the random oracle model or in the ideal cipher model.
Abstract: In this article, it is discussed how to construct a compression function with 2 n-bit output using a component function with n-bit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collision-resistant hash functions: Any collision-finding attack on them is at most as efficient as the birthday attack in the random oracle model or in the ideal cipher model. A new security notion is also introduced, which we call indistinguishability in the iteration, with a construction satisfying the notion.
151 citations
Journal Article•
TL;DR: In this article, it is discussed how to construct a compression function with 2 n-bit output using a component function with n- bit output, either a smaller compression function or a block cipher.
Abstract: In this article, it is discussed how to construct a compression function with 2n-bit output using a component function with n-bit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collision-resistant hash functions: Any collision-finding attack on them is at most as efficient as the birthday attack in the random oracle model or in the ideal cipher model. A new security notion is also introduced. which we call indistinguishability in the iteration, with a construction satisfying the notion.
130 citations
TL;DR: In this article, the security of various problems motivated by the notion of a secure hash function is analyzed in the random oracle model, and it is shown that the obvious trivial algorithms are optimal.
Abstract: In this paper, we study issues related to the notion of "secure" hash functions. Several necessary conditions are considered, as well as a popular sufficient condition (the so-called random oracle model). We study the security of various problems that are motivated by the notion of a secure hash function. These problems are analyzed in the random oracle model, and we prove that the obvious trivial algorithms are optimal. As well, we look closely at reductions between various problems. In particular, we consider the important question "does collision resistance imply preimage resistance?". We provide partial answers to this question --- both positive and negative! --- based on uniformity properties of the hash function under consideration.
116 citations
Posted Content•
TL;DR: An improved attack algorithm to find two-block colli- sions of the hash function MD5 and the set of sucient conditions is presented and a new technique which allows us to deterministically fulfill restrictions to properly rotate the dierentials in the first round is presented.
Abstract: In this paper, we present an improved attack algorithm to find two-block colli- sions of the hash function MD5. The attack uses the same dierential path of MD5 and the set of sucient conditions that was presented by Wang et al. We present a new technique which allows us to deterministically fulfill restrictions to properly rotate the dierentials in the first round. We will present a new algorithm to find the first block and we will use an al- gorithm of Klima to find the second block. To optimize the inner loop of these algorithms we will optimize the set of sucient conditions. We also show that the initial value used for the attack has a large influence on the attack complexity. Therefore a recommendation is made for 2 conditions on the initial value of the attack to avoid very hard situations if one has some freedom in choosing this initial value. Our attack can be done in an average of about 1 minute (avg. complexity 2 32.3 ) on a 3Ghz Pentium4 for these random recommended initial values. For arbitrary random initial values the average is about 5 minutes (avg. complexity 2 34.1 ). With a reasonable probability a collision is found within mere seconds, allowing for
107 citations
Journal Article•
TL;DR: In this article, the authors present a new attack on Damgard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later herd any given starting part of the message to that hash value by the choice of an appropriate suffix.
Abstract: In this paper, we develop a new attack on Damgard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later herd any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have-Chosen Target Forced Prefix (CTFP) preimage resistance-and show the distinction between Damgard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value.
76 citations
Posted Content•
TL;DR: In this article, the authors present an approach to design cryptographic hash functions that builds on and improves the one underlying the Panama hash function, and give a concrete design called RadioGatun that is quite competitive with SHA-1 in terms of performance.
Abstract: We present an approach to design cryptographic hash functions that builds on and improves the one underlying the Panama hash function. We discuss the properties of the resulting hash functions that need to be investigated and give a concrete design called RadioGatun that is quite competitive with SHA-1 in terms of performance. We are busy performing an analysis of RadioGatun and present in this paper some preliminary results.
58 citations
Journal Article•
TL;DR: In this paper, a formal proof of indifferentiability and indifferentiable attack for prefix-free MD hash functions (for single block length hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model was given.
Abstract: Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC'04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto'2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefix-free MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefix-free padding) which are indifferentiable from random oracle model in the ideal cipher model.
57 citations
10 Oct 2006
TL;DR: A new class of collision attacks that are based on inducing faults into the encryption process that are very powerful even against sophisticated countermeasures like error detection and memory encryption are presented.
Abstract: In this paper we present a new class of collision attacks that are based on inducing faults into the encryption process. We combine the classical fault attack of Biham and Shamir with the concept of collision attacks of Schramm et al. Unlike previous fault attacks by Blomer and Seifert our new attacks only need bit flips not bit resets. Furthermore, the new attacks do not need the faulty ciphertext to derive the secret key. We only need the weaker information whether a collision has occurred or not. This is an improvement over previous attacks presented for example by Dusart, Letourneux and Vivolo, Giraud, Chen and Yen or Piret and Quisquater. As it turns out the new attacks are very powerful even against sophisticated countermeasures like error detection and memory encryption.
56 citations
20 Aug 2006
TL;DR: It is shown that any secure construction that evaluates each hash function once cannot output fewer bits than simply concatenating the given functions.
Abstract: Let H1,H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better construction exists, namely, can we hedge our bets without doubling the size of the output? We take a step towards answering this question in the negative — we show that any secure construction that evaluates each hash function once cannot output fewer bits than simply concatenating the given functions.
Posted Content•
TL;DR: In this paper, it was shown that multicollision attacks exist for generalized sequential hash functions provided that every message block is used at most twice in the computation of the message digest.
Abstract: A multicollision for a function is a set of inputs whose outputs are all identical. A. Joux showed multicollision attacks on the classical iterated hash function. He also showed how these multicollision attacks can be used to get a collision attack on a concatenated hash function. In this paper, we study multicollision attacks in a more general class of hash functions which we term "generalized sequential hash functions." We show that multicollision attacks exist for this class of hash functions provided that every message block is used at most twice in the computation of the message digest
TL;DR: This paper shows how collisions can be obtained in such incremental hash functions that are based on pair block chaining, highlighting that more caution should be taken into its design process.
15 Mar 2006
TL;DR: For example, FORK-256 as discussed by the authors is a software-efficient 256-bit hash function, which is secure against known cryptographic attacks on hash functions and is designed not only to have higher security but also to be faster than SHA-256.
Abstract: This paper describes a new software-efficient 256-bit hash function, FORK-256. Recently proposed attacks on MD5 and SHA-1 motivate a new hash function design. It is designed not only to have higher security but also to be faster than SHA-256. The performance of the new hash function is at least 30% better than that of SHA-256 in software. And it is secure against any known cryptographic attacks on hash functions.
11 Dec 2006
TL;DR: This paper proposes a new hash function based on RC4 and it is called RC4-Hash, which produces variable length hash output from 16 bytes to 64 bytes and has several advantages over many popularly known hash functions.
Abstract: In this paper, we propose a new hash function based on RC4 and we call it RC4-Hash. This proposed hash function produces variable length hash output from 16 bytes to 64 bytes. Our RC4-Hash has several advantages over many popularly known hash functions. Its efficiency is comparable with widely used known hash function (e.g., SHA-1). Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1 and on RIPEMD, there is a serious need to consider other hash function design strategies. We present a concrete hash function design with completely new internal structure. The security analysis of RC4-Hash can be made in the view of the security analysis of RC4 (which is well studied) as well as the attacks on different hash functions. Our hash function is very simple and rules out all possible generic attacks. To the best of our knowledge, the design criteria of our hash function is different from all previously known hash functions. We believe our hash function to be secure and will appreciate security analysis and any other comments.
Journal Article•
TL;DR: In this paper, some observations on Camellia are presented, by which the Square attack and the Collision attack are improved and concluded that the most efficient attack on camellia is Square attack.
Abstract: In this paper, some observations on Camellia are presented, by which the Square attack and the Collision attack are improved. 11-round 256-bit Camellia without FL function is breakable with complexity of 2 250 encryptions. 9-round 128-bit Camellia without FL function is breakable with the complexity of 2 90 encryptions. And 10-round 256-bit Camellia with FL function is breakable with the complexity of 2 210 encryptions and 9-round 128-bit Camellia with FL function is breakable with the complexity of 2 122 encryptions. These results are better than any other known results. It concludes that the most efficient attack on Camellia is Square attack.
01 Mar 2006
TL;DR: The SHA-1 attack and the US National Institute of Standards and Technology's (NIST's) plans forSHA-1 and hash functions in general are discussed.
Abstract: Successful attacks against the two most commonly used cryptographic hash functions, MD5 and SHA-1, have triggered a kind of feeding frenzy in the cryptographic community. Many researchers are now working on hash function attacks, and we can expect new results in this area for the next several years. This article discusses the SHA-1 attack and the US National Institute of Standards and Technology's (NIST's) plans for SHA-1 and hash functions in general
03 Dec 2006
TL;DR: Submarine modification is an extension of the multi-message modification used in collision attacks on the MD-family as discussed by the authors, which can be used to generate a collision with high probability.
Abstract: At CRYPTO2005, Xiaoyun Wang, Hongbo Yu and Yiqun Lisa Yin proposed a collision attack on SHA-0 that could generate a collision with complexity 239 SHA-0 hash operations. Although the method of Wang et al. can find messages that satisfy the sufficient conditions in steps 1 to 20 by using message modification, it makes no mention of the message modifications needed to yield satisfaction of the sufficient conditions in steps 21 and onwards.
In this paper, first, we give sufficient conditions for the steps from step 21, and propose submarine modification as the message modification technique that will ensure satisfaction of the sufficient conditions from steps 21 to 24. Submarine modification is an extension of the multi-message modification used in collision attacks on the MD-family. Next, we point out that the sufficient conditions given by Wang et al. are not enough to generate a collision with high probability; we rectify this shortfall by introducing two new sufficient conditions. The combination of our newly found sufficient conditions and submarine modification allows us to generate a collision with complexity 236 SHA-0 hash operations. At the end of this paper, we show the example of a collision generated by applying our proposals.
Journal Article•
TL;DR: This paper considers the problem of combining smaller trusted compression functions to build a larger compression function, which leads directly to impossibility results on a range of block cipher-based hash function constructions.
Abstract: The design of secure compression functions is of vital importance to hash function development. In this paper we consider the problem of combining smaller trusted compression functions to build a larger compression function. This work leads directly to impossibility results on a range of block cipher-based hash function constructions.
30 Aug 2006
TL;DR: A related-key rectangle attack on 42-round SHACAL-2 was presented in this article, which requires 2243.38 chosen plaintexts and has a running time of 2488.37.
Abstract: Based on the compression function of the hash function standard SHA-256, SHACAL-2 is a 64-round block cipher with a 256-bit block size and a variable length key of up to 512 bits. In this paper, we present a related-key rectangle attack on 42-round SHACAL-2, which requires 2243.38 related-key chosen plaintexts and has a running time of 2488.37. This is the best currently known attack on SHACAL-2.
24 Apr 2006
TL;DR: It is demonstrated that for three concrete signature schemes, DSA, PSS-RSA, and Cramer-Shoup, the message can be hashed simultaneously with computing the signature, using one of the signature’s components as the key for the hash function.
Abstract: A signature scheme constructed according to the hash-and-sign paradigm—hash the message and then sign the hash, symbolically σ(H(M))—is no more secure than the hash function H against a collision-finding attack. Recent attacks on standard hash functions call the paradigm into question. It is well known that a simple modification of the hash-and-sign paradigm may replace the collision-resistant hash with a weaker primitive—a target-collision resistant hash function (also known as a universal one-way hash, UOWHF). The signer generates a random key k and outputs the pair (k,σ(k||H k (M))) as a signature on M. The apparent problem with this approach is the increase in the signature size. In this paper we demonstrate that for three concrete signature schemes, DSA, PSS-RSA, and Cramer-Shoup, the message can be hashed simultaneously with computing the signature, using one of the signature’s components as the key for the hash function. We prove that our constructions are as secure as the originals for DSA and PSS-RSA in the random oracle model and for the Cramer-Shoup signature scheme in the standard model.
[...]
TL;DR: This article shows how their attack method can be extended to construct a collision in the Tiger hash function reduced to 19 rounds, and presents two different attack strategies for constructing collisions in Tiger-19 with complexity of about 262 and 269.
Abstract: Tiger is a cryptographic hash function with a 192-bit hash value which was proposed by Anderson and Biham in 1996. At FSE 2006, Kelsey and Lucks presented a collision attack on Tiger reduced to 16 (out of 24) rounds with complexity of about 244. Furthermore, they showed that a pseudo-near-collision can be found for a variant of Tiger with 20 rounds with complexity of about 248.
In this article, we show how their attack method can be extended to construct a collision in the Tiger hash function reduced to 19 rounds. We present two different attack strategies for constructing collisions in Tiger-19 with complexity of about 262 and 269. Furthermore, we present a pseudo-near-collision for a variant of Tiger with 22 rounds with complexity of about 244.
17 Aug 2006
TL;DR: The first known attack on the full 80-round SHACAL-1 faster than exhaustive key search is devised, based on transformation of the collision-producing differentials of SHA-1 presented by Wang et al.
Abstract: SHACAL-1 is a 160-bit block cipher with variable key length of up to 512-bit key based on the hash function SHA-1. It was submitted to the NESSIE project and was accepted as a finalist for the 2nd phase of the evaluation.
In this paper we devise the first known attack on the full 80-round SHACAL-1 faster than exhaustive key search. The related-key differentials used in the attack are based on transformation of the collision-producing differentials of SHA-1 presented by Wang et al.
01 Jan 2006
TL;DR: A workshop to solicit input on the current status of the Secure Hash Algorithm-1 (SHA-1) family of hash functions was organized by the US National Institute for Standards and Technology.
Abstract: In light of recent breakthroughs on the cryptanalysis of hash functions, the US National Institute for Standards and Technology (NIST) organized a workshop to solicit input on the current status of the Secure Hash Algorithm-1 (SHA-1) family of hash functions.
01 Jan 2006
TL;DR: In this article, a collision attack on SMASH was presented, which allows to produce almost any desired difference in the chaining variables of the iterated hash function with probability 1.
Abstract: We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.
30 Nov 2006
TL;DR: In this article, a collision search attack for the first 53 steps of HAS-160 was presented, and the time complexity of the attack is about 255, which is the same as the one presented in this paper.
Abstract: HAS-160 is a cryptographic hash function which is designed and used widely in Korea. In ICISC 2005, Yun et al. presented a collision search attack for the first 45 steps of HAS-160. In this paper, we extend the result to the first 53 steps of HAS-160. The time complexity of the attack is about 255.
Journal Article•
TL;DR: This paper extends the result of the ICISC 2005 collision search attack to the first 53 steps of HAS-160, a cryptographic hash function designed and used widely in Korea.
Abstract: HAS-160 is a cryptographic hash function which is designed and used widely in Korea. In ICISC 2005, Yun et al. presented a collision search attack for the first 45 steps of HAS-160. In this paper, we extend the result to the first 53 steps of HAS-160. The time complexity of the attack is about 2 55 .
Journal Article•
TL;DR: In this article, the influence of collision-finding attacks on the security of time-stamping schemes was studied and necessary and sufficient conditions for client side hash functions were derived by using explicit separation techniques.
Abstract: We study the influence of collision-finding attacks on the security of time-stamping schemes. We distinguish between client-side hash functions used to shorten the documents before sending them to time-stamping servers and server-side hash functions used for establishing one way causal relations between time stamps. We derive necessary and sufficient conditions for client side hash functions and show by using explicit separation techniques that neither collision-resistance nor 2nd preimage resistance is necessary for secure time-stamping. Moreover, we show that server side hash functions can even be not one-way. Hence, it is impossible by using black-box techniques to transform collision-finders into wrappers that break the corresponding time-stamping schemes. Each such wrapper should analyze the structure of the hash function. However, these separations do not necessarily hold for more specific classes of hash functions. Considering this, we take a more detailed look at the structure of practical hash functions by studying the Merkle-Damgard (MD) hash functions. We show that attacks, which are able to find collisions for MD hash functions with respect to randomly chosen initial states, also violate the necessary security conditions for client-side hash functions. This does not contradict the black-box separations results because the MD structure is already a deviation from the black-box setting. As a practical consequence, MD5, SHA-0, and RIPEMD are no more recommended to use as client-side hash functions in time-stamping. However, there is still no evidence against using MD5 (or even MD4) as server-side hash functions.
23 Oct 2006
TL;DR: A novel scheme (a new kind of hash chain) is proposed, which re- initializes or updates by itself, named Self-Updating Hash Chain – SUHC, which is smooth, secure and efficient and does not need additional protocols or an independent re-initialization process, and can be continued indefinitely to give rise to an infinite length hash chain.
Abstract: Hash Chains are widely used in various cryptography applications such as one-time passwords, server-supported signatures and micropayments etc. However, the finite length (‘limited-link') of hash chains limits their applications. Some methods of re-initializing hash chains or infinite hash chains introduced in literatures are inefficient and un-smooth. In this paper, a novel scheme (a new kind of hash chain) is proposed, which re-initializes or updates by itself, named Self-Updating Hash Chain – SUHC. Highlights of SUHC are self-updating, fine-authentication and proactive updating. The updating process of SUHC is smooth, secure and efficient and does not need additional protocols or an independent re-initialization process, and can be continued indefinitely to give rise to an infinite length hash chain. An improved Server-Supported Signature with SUHC is also presented to show the application of SUHC.
06 Jun 2006
TL;DR: It is shown by using explicit separation techniques that neither collision-resistance nor 2nd preimage resistance is necessary for secure time-stamping, and that server side hash functions can even be not one-way.
Abstract: We study the influence of collision-finding attacks on the security of time-stamping schemes. We distinguish between client-side hash functions used to shorten the documents before sending them to time-stamping servers and server-side hash functions used for establishing one way causal relations between time stamps. We derive necessary and sufficient conditions for client side hash functions and show by using explicit separation techniques that neither collision-resistance nor 2nd preimage resistance is necessary for secure time-stamping. Moreover, we show that server side hash functions can even be not one-way. Hence, it is impossible by using black-box techniques to transform collision-finders into wrappers that break the corresponding time-stamping schemes. Each such wrapper should analyze the structure of the hash function. However, these separations do not necessarily hold for more specific classes of hash functions. Considering this, we take a more detailed look at the structure of practical hash functions by studying the Merkle-Damgard (MD) hash functions. We show that attacks, which are able to find collisions for MD hash functions with respect to randomly chosen initial states, also violate the necessary security conditions for client-side hash functions. This does not contradict the black-box separations results because the MD structure is already a deviation from the black-box setting. As a practical consequence, MD5, SHA-0, and RIPEMD are no more recommended to use as client-side hash functions in time-stamping. However, there is still no evidence against using MD5 (or even MD4) as server-side hash functions.