Showing papers on "Collision attack published in 2009"

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

Abstract: In this work, we propose the rebound attack, a new tool for the cryptanalysis of hash functions. The idea of the rebound attack is to use the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail. The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom, and a subsequent probabilistic outbound phase. Especially on AES based hash functions, the rebound attack leads to new attacks for a surprisingly high number of rounds. We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit hash function Whirlpool with a complexity of 2120 compression function evaluations and negligible memory requirements. The attack can be extended to a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 rounds of the similar hash function Maelstrom. Additionally, we apply the rebound attack to the SHA-3 submission Grostl, which leads to an attack on 6 rounds of the Grostl-256 compression function with a complexity of 2120 and memory requirements of about 264.

Finding Preimages in Full MD5 Faster Than Exhaustive Search

Abstract: In this paper, we present the first cryptographic preimage attack on the full MD5 hash function. This attack, with a complexity of 2116.9, generates a pseudo-preimage of MD5 and, with a complexity of 2123.4, generates a preimage of MD5. The memory complexity of the attack is 245 ×11 words. Our attack is based on splice-and-cut and local-collision techniques that have been applied to step-reduced MD5 and other hash functions. We first generalize and improve these techniques so that they can be more efficiently applied to many hash functions whose message expansions are a permutation of message-word order in each round. We then apply these techniques to MD5 and optimize the attack by considering the details of MD5 structure.

Preimage Attacks on One-Block MD4, 63-Step MD5 and More

Abstract: This paper shows preimage attacks on one-block MD4 and MD5 reduced to 63 (out of 64) steps. Our attacks are based on the meet-in-the-middle attack, and many additional improvements make the preimage computable faster than that of the brute-force attack, 2128 hash computation. A preimage of one-block MD4 can be computed in the complexity of the 2107 MD4 compression function computation, and a preimage of MD5 reduced to 63 steps can be computed in the complexity of the 2121 MD5 compression function computation. Moreover, we optimize the computational order of the brute-force attack against MD5, and a preimage of full-round MD5 can be computed in the complexity of the 2127 MD5 compression function computation.

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

Abstract: We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 249 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 216 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

Rebound Distinguishers: Results on the Full Whirlpool Compression Function

Abstract: Whirlpool is a hash function based on a block cipher that can be seen as a scaled up variant of the AES The main difference is the (compared to AES) extremely conservative key schedule In this work, we present a distinguishing attack on the full compression function of Whirlpool We obtain this result by improving the rebound attack on reduced Whirlpool with two new techniques First, the inbound phase of the rebound attack is extended by up to two rounds using the available degrees of freedom of the key schedule This results in a near-collision attack on 95 rounds of the compression function of Whirlpool with a complexity of 2176 and negligible memory requirements Second, we show how to turn this near-collision attack into a distinguishing attack for the full 10 round compression function of Whirlpool This is the first result on the full Whirlpool compression function

Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1

Abstract: Preimage resistance of several hash functions has already been broken by the meet-in-the-middle attacks and they utilize a property that their message schedules consist of only permutations of message words. It is unclear whether this type of attacks is applicable to a hash function whose message schedule does not consist of permutations of message words. This paper proposes new attacks against reduced SHA-0 and SHA-1 hash functions by analyzing a message schedule that does not consist of permutations but linear combinations of message words. The newly developed cryptanalytic techniques enable the meet-in-the-middle attack to be applied to reduced SHA-0 and SHA-1 hash functions. The attacks find preimages of SHA-0 and SHA-1 in 2156.6 and 2159.3 compression function computations up to 52 and 48 steps, respectively, compared to the brute-force attack, which requires 2160 compression function computations. The previous best attacks find preimages up to 49 and 44 steps, respectively.

Preimages for Step-Reduced SHA-2

Abstract: In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

Abstract: In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grostl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grostl-256 output transformation and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO.

Collision-resistant elliptic curve hash functions

Abstract: Elliptic curve hash functions are provided which do not require a pre-existing hash function, such as that required by the MuHash. The elliptic curve hash functions can be built from scratch and are collision free and can be incremental. In one embodiment, rather than a pre-existing hash function, the identity function with padding is used; and in another embodiment, rather than a pre-existing hash function, a block cipher with a fixed non-secret key is used.

Cryptographic hash function Blue Midnight Wish

Abstract: The cryptographic hash function Blue Midnight Wish was submitted as a candidate for SHA-3 hash competition organized by National Institute of Standards and Technology (NIST).

Hash function requirements for Schnorr signatures

Abstract: We provide two necessary conditions on hash functions for the Schnorr signature scheme to be secure, assuming compact group representations such as those which occur in elliptic curve groups. We also show, via an argument in the generic group model, that these conditions are sufficient. Our hash function security requirements are variants of the standard notions of preimage and second preimage resistance. One of them is in fact equivalent to the Nostradamus attack by Kelsey and Kohno (Eurocrypt 2006), and, when considering keyed compression functions, both are closely related to the ePre and eSec notions by Rogaway and Shrimpton (FSE 2004). Our results have a number of interesting implications in practice. First, since security does not rely on the hash function being collision resistant, Schnorr signatures can still be securely instantiated with SHA-1/SHA256, unlike DSA signatures. Second, we conjecture that our properties require O(2) work to solve for a hash function with n-bit output, thereby allowing the use of shorter hashes and saving twenty-five percent in signature size. And third, our analysis does not reveal any significant difference in hardness between forging signatures and computing discrete logarithms, which plays down the importance of the loose reductions in existing random-oracle proofs, and seems to support the use of “normalsize” groups.

How Risky Is the Random-Oracle Model?

Abstract: RSA-FDH and many other schemes secure in the Random-Oracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the random-oracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a 267 preimage attack on BR93 for 1024-bit digests. Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the ID-based cryptosystem by Boneh et al. from FOCS '07, and the secret key in the Rabin-Williams signature for which Bernstein proved tight security at EUROCRYPT '08. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/Rabin-Williams, an appropriate PSS padding is more robust than all other paddings known.

Security of Cyclic Double Block Length Hash Functions

Abstract: We provide a proof of security for a huge class of double block length hash function that we will call Cyclic-DM . Using this result, we are able to give a collision resistance bound for Abreast-DM , one of the oldest and most well-known constructions for turning a block cipher with n -bit block length and 2n -bit key length into a 2n -bit cryptographic hash function. In particular, we show that when Abreast-DM is instantiated using a block cipher with 128-bit block length and 256-bit key length, any adversary that asks less than 2124.42 queries cannot find a collision with success probability greater than 1/2. Surprisingly, this about 15 years old construction is one of the few constructions that have the desirable feature of a near-optimal collision resistance guarantee. We are also able to derive several DBL constructions that lead to compression functions offering an even higher security guarantee and more efficiency than Abreast-DM (e.g. share a common key). Furthermore we give a practical DBL construction that has the highest security guarantee of all DBL compression functions currently known in literature. We also provide a (relatively weak) analysis of preimage resistance for Cyclic-DM .

Hash Functions Based on Block Ciphers

Abstract: In this paper, a hash function with lower rate but higher efficiency is proposed and it can be built on insecure compression functions. The security of this scheme is proved under black-box model and some compression function based on block ciphers are given to build this scheme. It is also shown that key schedule is a more important factor affecting the efficiency of a block-cipher-based hash function than rate. The new scheme only needs 2 keys and the key schedule of it can be pre-computed. It means the new scheme need not re-schedule the keys at every step during the iterations and its efficiency is improved.

Preimage Attacks on Reduced Tiger and SHA-2

Abstract: This paper shows new preimage attacks on reduced Tiger and SHA-2. Indesteege and Preneel presented a preimage attack on Tiger reduced to 13 rounds (out of 24) with a complexity of 2128.5. Our new preimage attack finds a one-block preimage of Tiger reduced to 16 rounds with a complexity of 2161. The proposed attack is based on meet-in-the-middle attacks. It seems difficult to find "independent words" of Tiger at first glance, since its key schedule function is much more complicated than that of MD4 or MD5. However, we developed techniques to find independent words efficiently by controlling its internal variables. Surprisingly, the similar techniques can be applied to SHA-2 including both SHA-256 and SHA-512. We present a one-block preimage attack on SHA-256 and SHA-512 reduced to 24 (out of 64 and 80) steps with a complexity of 2240 and 2480, respectively. To the best of our knowledge, our attack is the best known preimage attack on reduced-round Tiger and our preimage attack on reduced-step SHA-512 is the first result. Furthermore, our preimage attacks can also be extended to second preimage attacks directly, because our attacks can obtain random preimages from an arbitrary IV and an arbitrary target.

Improved preimage attack for 68-step HAS-160

Abstract: In this paper, we improve previous preimage attacks on hash function HAS-160, which is standardized in Korea. We show that the last 68 steps out of 80 steps of HAS-160 can be attacked, while a previous attack works for only intermediate 52 steps. We also show that the first 67 steps of HAS-160 can be attacked. These attacks are based on the meet-in-the-middle attack, which is also used in the previous attack. Recently, various techniques of preimage attacks have been proposed on other hash functions. We show that these techniques can also be applied to HAS-160 and the number of attacked steps can be improved. For the attack on 68 steps, we first generate pseudo-preimages with a complexity of 2150.7, and then convert them to a preimage with a complexity of 2156.3. This attack uses a memory of 212 × 7 words. To the best of our knowledge, attacking 68 steps is the best of all attacks on HAS-160 hash function.

Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5

Abstract: This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2224 compression function evaluations instead of 2256. We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 296 trials instead of 2128. Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected.

Speeding up Collision Search for Byte-Oriented Hash Functions

Abstract: We describe a new tool for the search of collisions for hash functions. The tool is applicable when an attack is based on a differential trail, whose probability determines the complexity of the attack. Using the linear algebra methods we show how to organize the search so that many (in some cases -- all) trail conditions are always satisfied thus significantly reducing the number of trials and the overall complexity. The method is illustrated with the collision and second preimage attacks on the compression functions based on Rijndael. We show that slow diffusion in the Rijndael (and AES) key schedule allows to run an attack on a version with a 13-round compression function, and the S-boxes do not prevent the attack. We finally propose how to modify the key schedule to resist the attack and provide lower bounds on the complexity of the generic differential attacks for our modification.

Cryptanalysis of MDC-2

Abstract: We provide a collision attack and preimage attacks on the MDC-2 construction, which is a method (dating back to 1988) of turning an n -bit block cipher into a 2n -bit hash function The collision attack is the first below the birthday bound to be described for MDC-2 and, with n = 128, it has complexity 21245, which is to be compared to the birthday attack having complexity 2128 The preimage attacks constitute new time/memory trade-offs; the most efficient attack requires time and space about 2 n , which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt '92), having time complexity 23n /2 and space complexity 2 n /2, and to a brute force preimage attack having complexity 22n

How To Find Weak Input Differences For MD5 Collision Attacks.

Abstract: Since the first feasible collision differential was given for MD5 in 2004 by Wang et al, a lot of work has been concentrated on how to improve it, but the researches on how to select weak input differences for MD5 collision attack are only sporadically scattered in literature. This paper focuses on a reasonable selection of weak input differences for MD5 collision attack, tries to answer some questions such as, what techniques can be use to satisfy bit conditions? which step in the second round can be the latest to apply a search on free bits without violating previously satisfied conditions? what is the optimal characterization of feasible collision differential propagation for MD5, by which we can find more weak input differences? is there any collision differentials better than Wang et al’s by some practical criteria? In this paper, a divide-and-conquer strategy is introduced with an optimal scheme of grouping the 64 steps of operation into five stages of independent condition fulfillment, and a feasible collision differential propagation is optimally characterized as a guide to select those 1-3-bit weak input differences, with their computational costs estimated. As a result, hundreds of thousands of weak input differences have been found, quite a number of which are superior to Wang et al’s. For example, a new differential collision attack with only 1-MSB input difference is developed with a time complexity of 2 MD5 compressions, two weak input differences are able to find a collision within 2 MD5 compressions. In particular, a 2-bit weak input difference is found to be able to construct a practical 1-block collision attack on MD5. This paper will provide a rich resource of colliding messages with different weak input differences, therefore much greatly increase the probability of finding a second MD5 pre-image for an arbitrarily given message.

Collisions and Other Non-random Properties for Step-Reduced SHA-256

Abstract: We study the security of step-reduced but otherwise unmodified SHA-256. We show the first collision attacks on SHA-256 reduced to 23 and 24 steps with complexities 218 and 228.5, respectively. We give example colliding message pairs for 23-step and 24-step SHA-256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24-step reduced SHA-512 with respective complexities of 244.9 and 253.0. Additionally, we show non-random behaviour of the SHA-256 compression function in the form of free-start near-collisions for up to 31 steps, which is 6 more steps than the recently obtained non-random behaviour in the form of a semi-free-start near-collision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA-256.

New Results on Impossible Differential Cryptanalysis of Reduced---Round Camellia---128

Abstract: Camellia, a 128---bit block cipher which has been accepted by ISO/IEC as an international standard, is increasingly being used in many cryptographic applications. In this paper, using the redundancy in the key schedule and accelerating the filtration of wrong pairs, we present a new impossible differential attack to reduced---round Camellia. By this attack 12---round Camellia---128 without FL/FL ? 1 functions and whitening is breakable with a total complexity of about 2116.6 encryptions and 2116.3 chosen plaintexts. In terms of the numbers of the attacked rounds, our attack is better than any previously known attack on Camellia---128.

Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård

Abstract: In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle-Damgard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore "hash-twice" construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack -- the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions: Application to RIPEMD and Others

Abstract: We describe preimage attacks on several double-branch hash functions. We first present meet-in-the-middle preimage attacks on RIPEMD, whose output length is 128 bits and internal state size is 256 bits. With this internal state size, a straightforward application of the meet-in-the-middle attack will cost the complexity of at least 2128, which gives no advantage compared to the brute force attack. We show two attacks on RIPEMD. The first attack finds pseudo-preimages and preimages of the first 33 steps with complexities of 2121 and 2125.5, respectively. The second attack finds pseudo-preimages and preimages of the intermediate 35 steps with complexities of 296 and 2113, respectively. We next present meet-in-the-middle preimage attacks on full Extended MD4, reduced RIPEMD-256, and reduced RIPEMD-320. The best known attack for these is the brute force attack. We show how to find preimages more efficiently on these hash functions.

Cryptanalysis of MDC-2

Abstract: We provide a collision attack and preimage attacks on the MDC-2 construction, which is a method (dating back to 1988) of turning an n -bit block cipher into a 2n -bit hash function. The collision attack is the first below the birthday bound to be described for MDC-2 and, with n = 128, it has complexity 2124.5, which is to be compared to the birthday attack having complexity 2128. The preimage attacks constitute new time/memory trade-offs; the most efficient attack requires time and space about 2 n , which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt '92), having time complexity 23n /2 and space complexity 2 n /2, and to a brute force preimage attack having complexity 22n .

Linearization Framework for Collision Attacks: Application to CubeHash and MD6

Abstract: In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.

Cryptanalysis of Hash Functions with Structures

Abstract: Hash function cryptanalysis has acquired many methods, tools and tricks from other areas, mostly block ciphers. In this paper another trick from block cipher cryptanalysis, the structures, is used for speeding up the collision search. We investigate the memory and the time complexities of this approach under different assumptions on the round functions. The power of the new attack is illustrated with the cryptanalysis of the hash functions Grindahl and the analysis of the SHA-3 candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.

Hard and Easy Components of Collision Search in the Zémor-Tillich Hash Function: New Attacks and Reduced Variants with Equivalent Security

Abstract: The Zemor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94. We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zemor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zemor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.

A Three-Property-Secure Hash Function

Abstract: This paper proposes a new hash construction based on the widely used Merkle-Damgard (MD) iteration [13,9]. It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security. We show property preservation for the first two properties in the standard security model and the third Pre security property is proved in the random oracle model. Similar to earlier known hash constructions that achieve a form of Sec (eSec [16]) property preservation [4,17], we make use of fixed key material in the iteration. But while these hashes employ keys of size at least logarithmic in the message length (in blocks), we only need a small constant key size. Another advantage of our construction is that the underlying compression function is instantiated as a keyless primitive. The Sec security of our hash scheme, however, relies heavily on the standard definitional assumption that the target messages are sufficiently random. An example of a practical application that requires Sec security and satisfies this definitional premise on the message inputs is the popular Cramer-Shoup encryption scheme [8]. Still, in practice we have other hashing applications where the target messages are not sampled from spaces with uniform distribution. And while our scheme is Sec preserving for uniform message distributions, we show that this is not always the case for other distributions.