Showing papers on "Collision attack published in 2010"
Book•
01 Jan 2010
TL;DR: In this article, the SHA-3 side-channel attacks and countermeasures were evaluated using FPGA-based hardware. But, the side channel attacks were not considered in this paper.
Abstract: Low Cost Cryptography.- Quark: A Lightweight Hash.- PRINTcipher: A Block Cipher for IC-Printing.- Sponge-Based Pseudo-Random Number Generators.- Efficient Implementations I.- A High Speed Coprocessor for Elliptic Curve Scalar Multiplications over .- Co-Z Addition Formulae and Binary Ladders on Elliptic Curves.- Efficient Techniques for High-Speed Elliptic Curve Cryptography.- Side-Channel Attacks and Countermeasures I.- Analysis and Improvement of the Random Delay Countermeasure of CHES 2009.- New Results on Instruction Cache Attacks.- Correlation-Enhanced Power Analysis Collision Attack.- Side-Channel Analysis of Six SHA-3 Candidates.- Tamper Resistance and Hardware Trojans.- Flash Memory 'Bumping' Attacks.- Self-referencing: A Scalable Side-Channel Approach for Hardware Trojan Detection.- When Failure Analysis Meets Side-Channel Attacks.- Efficient Implementations II.- Fast Exhaustive Search for Polynomial Systems in .- 256 Bit Standardized Crypto for 650 GE - GOST Revisited.- Mixed Bases for Efficient Inversion in and Conversion Matrices of SubBytes of AES.- SHA-3.- Developing a Hardware Evaluation Method for SHA-3 Candidates.- Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs.- Performance Analysis of the SHA-3 Candidates on Exotic Multi-core Architectures.- XBX: eXternal Benchmarking eXtension for the SUPERCOP Crypto Benchmarking Framework.- Fault Attacks and Countermeasures.- Public Key Perturbation of Randomized RSA Implementations.- Fault Sensitivity Analysis.- PUFs and RNGs.- An Alternative to Error Correction for SRAM-Like PUFs.- New High Entropy Element for FPGA Based True Random Number Generators.- The Glitch PUF: A New Delay-PUF Architecture Exploiting Glitch Shapes.- New Designs.- Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs.- ARMADILLO: A Multi-purpose Cryptographic Primitive Dedicated to Hardware.- Side-Channel Attacks and Countermeasures II.- Provably Secure Higher-Order Masking of AES.- Algebraic Side-Channel Analysis in the Presence of Errors.- Coordinate Blinding over Large Prime Fields.
181 citations
Posted Content•
TL;DR: In this article, a side-channel based collision attack is proposed to break an AES implementation based on the corrected version of the masked S-box of Canright and Batina presented at ACNS 2008.
Abstract: Side-channel based collision attacks are a mostly disregarded alternative to DPA for analyzing unprotected implementations. The advent of strong countermeasures, such as masking, has made further research in collision attacks seemingly in vain. In this work, we show that the principles of collision attacks can be adapted to efficiently break some masked hardware implementation of the AES which still have first-order leakage. The proposed attack breaks an AES implementation based on the corrected version of the masked S-box of Canright and Batina presented at ACNS 2008 which is supposed to be resistant against firstorder attacks. It requires only six times the number of traces necessary for breaking a comparable unprotected implementation. At the same time, the presented attack has minimal requirements on the abilities and knowledge of an adversary. The attack requires no detailed knowledge about the design, nor does it require a training phase.
180 citations
17 Aug 2010
TL;DR: This work shows that the principles of collision attacks can be adapted to efficiently break some masked hardware implementation of the AES which still have first-order leakage.
Abstract: Side-channel based collision attacks are a mostly disregarded alternative to DPA for analyzing unprotected implementations. The advent of strong countermeasures, such as masking, has made further research in collision attacks seemingly in vain. In this work, we show that the principles of collision attacks can be adapted to efficiently break some masked hardware implementation of the AES which still have first-order leakage. The proposed attack breaks an AES implementation based on the corrected version of the masked S-box of Canright and Batina presented at ACNS 2008. The attack requires only six times the number of traces necessary for breaking a comparable unprotected implementation. At the same time, the presented attack has minimal requirements on the abilities and knowledge of an adversary. The attack requires no detailed knowledge about the design, nor does it require a profiling phase.
165 citations
05 Dec 2010
TL;DR: The results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function.
Abstract: We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks.
102 citations
TL;DR: The proposed scheme utilizes the chaotic Hash function to achieve the contributory nature and enhance its security, and Cryptanalysis demonstrates that this chaotic Hash-based scheme can overcome all the current deficiencies.
88 citations
TL;DR: Simulation results show that the proposed improving algorithm has strong diffusion and confusion capability, good collision resistance, extreme sensitivity to message and secret key, and the corresponding improving measures are proposed.
77 citations
TL;DR: In the proposed scheme, both the combiner and the participants can verify the correctness of the information exchanged among themselves, and high complexity operations like modular multiplication, exponentiation and inversion are avoided to increase its efficiency.
50 citations
01 Mar 2010
TL;DR: A brief overview of the state of hash functions 30 years after their introduction is presented and the progress of the SHA-3 competition is discussed, with as goal to select a new hash function family by 2012.
Abstract: The first designs of cryptographic hash functions date back to the late 1970s; more proposals emerged in the 1980s. During the 1990s, the number of hash function designs grew very quickly, but for many of these proposals security flaws were identified. MD5 and SHA-1 were deployed in an ever increasing number of applications, resulting in the name “Swiss army knifes” of cryptography. In spite of the importance of hash functions, only limited effort was spent on studying their formal definitions and foundations. In 2004 Wang et al. perfected differential cryptanalysis to a point that finding collisions for MD5 became very easy; for SHA-1 a substantial reduction of the security margin was obtained. This breakthrough has resulted in a flurry of research, resulting in new constructions and a growing body of foundational research. NIST announced in November 2007 that it would organize the SHA-3 competition, with as goal to select a new hash function family by 2012. From the 64 candidates submitted by October 2008, 14 have made it to the second round. This paper presents a brief overview of the state of hash functions 30 years after their introduction; it also discusses the progress of the SHA-3 competition.
50 citations
01 Mar 2010
TL;DR: In this paper, the first cryptanalytic attacks on reduced-round versions of Grostl hash functions were presented by several extensions of the rebound attack, including collision attacks on 4/10 rounds and 5/14 rounds, respectively.
Abstract: Grostl is one of 14 second round candidates of the NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression function of Grostl-256 have already been published. However, little is known about the hash function, arguably a much more interesting cryptanalytic setting. Also, Grostl-512 has not been analyzed yet. In this paper, we show the first cryptanalytic attacks on reduced-round versions of the Grostl hash functions. These results are obtained by several extensions of the rebound attack. We present a collision attack on 4/10 rounds of the Grostl-256 hash function and 5/14 rounds of the Grostl-512 hash functions. Additionally, we give the best collision attack for reduced-round (7/10 and 7/14) versions of the compression function of Grostl-256 and Grostl-512.
48 citations
05 Dec 2010
TL;DR: This paper presents non-full-active Super-Sbox analysis which can detect non-ideal properties of a class of AES-based permutations with a low complexity and improves a semi-free-start collision attack on the 7-round Grostl-512 compression function.
Abstract: In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal properties of a class of AES-based permutations with a low complexity. We apply this framework to SHA-3 round-2 candidates ECHO and Grostl. The first application is for the full-round (8-round) ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2182 and 237 amount of memory. The complexity, especially in terms of the product of time and memory, is drastically reduced from the previous best attack which required 2512×2512. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grostl-256 permutation with a practical complexity, and finally show that our approach improves a semi-free-start collision attack on the 7-round Grostl-512 compression function. Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active states.
47 citations
25 Jan 2010
TL;DR: In this article, the applicability of MD2 preimage attacks against the primary root certificate for Verisign, and the difficulty of validating X.509 Names contained within PKCS#10 Certificate Requests are demonstrated.
Abstract: Research unveiled in December of 2008 [15] showed how MD5’s long-known flaws could be actively exploited to attack the real-worldCertification Authority infrastructure. In this paper, we demonstrate two new classes of collision, which will be somewhat trickier to address than previous attacks against X.509: the applicability of MD2 preimage attacks against the primary root certificate for Verisign, and the difficulty of validating X.509 Names contained within PKCS#10 Certificate Requests.We also draw particular attention to two possibly unrecognized vectors for implementation flaws that have been problematic in the past: the ASN.1 BER decoder required to parsePKCS#10, and the potential for SQL injection fromtext contained within its requests. Finally, we explore why the implications of these attacks are broader than some have realized — first, because Client Authentication is sometimes tied to X.509, and second, because Extended Validation certificates were only intended to stop phishing attacks from names similar to trusted brands. As per the work of Adam Barth and Collin Jackson [4], EV does not prevent an attacker who can synthesize or acquire a “low assurance” certificate for a given name from acquiring the “green bar” EV experience.
TL;DR: Whirlwind compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6.
Abstract: A new cryptographic hash function Whirlwind is presented. We give the full specification and explain the design rationale. We show how the hash function can be implemented efficiently in software and give first performance numbers. A detailed analysis of the security against state-of-the-art cryptanalysis methods is also provided. In comparison to the algorithms submitted to the SHA-3 competition, Whirlwind takes recent developments in cryptanalysis into account by design. Even though software performance is not outstanding, it compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6.
01 Dec 2010
TL;DR: This paper proposes a new lightweight 256-bit hash function Lesamnta-LW with claimed security levels of at least 2120 with respect to collision, preimage, and second preimage attacks and adopts the Merkle-Damgard domain extension.
Abstract: This paper proposes a new lightweight 256-bit hash function Lesamnta-LW with claimed security levels of at least 2120 with respect to collision, preimage, and second preimage attacks. We adopt the Merkle-Damgard domain extension; the compression function is constructed from a dedicated AES-based block cipher using the LW1 mode, for which a security reduction can be proven. In terms of lightweight implementations, Lesamnta-LW offers a competitive advantage over other 256-bit hash functions. Our size-optimized hardware implementation of Lesamnta-LW requires only 8.24 Kgates on 90 nm technology. Our software implementation of Lesamnta-LW requires only 50 bytes of RAM and runs fast on short messages on 8-bit CPUs.
Journal Article•
TL;DR: The first cryptanalytic attacks on reduced-round versions of the Grostl hash functions are shown, obtained by several extensions of the rebound attack.
Abstract: Grostl is one of 14 second round candidates of the NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression function of Grostl-256 have already been published. However, little is known about the hash function, arguably a much more interesting cryptanalytic setting. Also, Grostl-512 has not been analyzed yet. In this paper, we show the first cryptanalytic attacks on reduced-round versions of the Grostl hash functions. These results are obtained by several extensions of the rebound attack. We present a collision attack on 4/10 rounds of the Grostl-256 hash function and 5/14 rounds of the Grostl-512 hash functions. Additionally, we give the best collision attack for reduced-round (7/10 and 7/14) versions of the compression function of Grostl-256 and Grostl-512.
11 Dec 2010
TL;DR: This paper proposes a distributed scheme that is based on low-cost hardware and can effectively identify the source of a collision attack and shows that correct identification of an adversarial node can be achieved with greater than 85% accuracy.
Abstract: Security is an important issue for sensor networks deployed in hostile environments, such as military battlefields. The low cost requirement precludes the use of tamper resistant hardware on tiny sensor nodes. Hence, sensor nodes deployed in open areas can be compromised and used to carry out various attacks on the network. In this paper, we consider the collision attack that can be easily launched by a compromised (or hostile) node: a compromised node does not follow the medium access control protocol and cause collisions with neighbor transmissions by sending a short noise packet. This attack does not consume much energy of the attacker but can cause a lot of disruptions to the network operation. Due to the wireless broadcast nature, it is not trivial to identify the attacker. In this paper, we propose a distributed scheme that is based on low-cost hardware and can effectively identify the source of a collision attack. Our scheme is based on analyzing physical-layer Received Signal Strength Index (RSSI) readings. We show that correct identification of an adversarial node can be achieved with greater than 85% accuracy. We further present a technique that degrades gracefully as the background noise increases.
Posted Content•
TL;DR: A package of statistical tests are designed based on certain cryptographic properties of block ciphers and hash functions to evaluate their randomness, and are applied to the AES finalists, and produced more precise results than those obtained in similar applications.
Abstract: One of the most basic properties expected from block ciphers and hash functions is passing statistical randomness testing, as they are expected to behave like random mappings. Previously, testing of AES candidate block ciphers was done by concatenating the outputs of the algorithms obtained from various input types. In this work, a more convenient method, namely the cryptographic randomness testing is introduced. A package of statistical tests are designed based on certain cryptographic properties of block ciphers and hash functions to evaluate their randomness. The package is applied to the AES finalists, and produced more precise results than those obtained in similar applications.
12 Aug 2010
TL;DR: This paper presents two algorithms for computing preimages, each algorithm having its own advantages in terms of speed and preimage lengths and produces theoretical and experimental evidence that both are very efficient and succeed with a very large probability on the function parameters.
Abstract: After 15 years of unsuccessful cryptanalysis attempts by the research community, Grassl et al. have recently broken the collision resistance property of the Tillich-Zemor hash function. In this paper, we extend their cryptanalytic work and consider the preimage resistance of the function.
We present two algorithms for computing preimages, each algorithm having its own advantages in terms of speed and preimage lengths. We produce theoretical and experimental evidence that both our algorithms are very efficient and succeed with a very large probability on the function parameters. Furthermore, for an important subset of these parameters, we provide a full proof that our second algorithm always succeeds in deterministic cubic time.
Our attacks definitely break the Tillich-Zemor hash function and show that it is not even one-way. Nevertheless, we point out that other hash functions based on a similar design may still be secure.
TL;DR: Wang et al. as discussed by the authors analyzed the security of a parallel keyed hash function based on chaotic neural network and showed that weak keys and forgery attacks against Xiao et al.'s scheme are demonstrated.
05 Jul 2010
TL;DR: In this paper, the authors present a study of Hamsi's resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of the hash function.
Abstract: Hamsi is one of 14 remaining candidates in NIST's Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsi's resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distinguishers for its full (6-round) finalization function, indicating that Hamsi's building blocks do not behave ideally.
01 Mar 2010
TL;DR: This work analyzed the security of the proposed TLS/SSL combiner constructions for pseudorandom functions resp.
Abstract: The TLS and SSL protocols are widely used to ensure secure communication over an untrusted network. Therein, a client and server first engage in the so-called handshake protocol to establish shared keys that are subsequently used to encrypt and authenticate the data transfer. To ensure that the obtained keys are as secure as possible, TLS and SSL deploy hash function combiners for key derivation and the authentication step in the handshake protocol. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. In this work, we analyze the security of the proposed TLS/SSL combiner constructions for pseudorandom functions resp. message authentication codes.
[...]
TL;DR: The state-of-the-art cryptanalytic results on MD2 are contained, in particular collision and preimage attacks on the full hash function, the latter having complexity 273, which should be compared to a brute-force attack of complexity 2128.
Abstract: This paper considers the hash function MD2 which was developed by Ron Rivest in 1989. Despite its age, MD2 has withstood cryptanalytic attacks until recently. This paper contains the state-of-the-art cryptanalytic results on MD2, in particular collision and preimage attacks on the full hash function, the latter having complexity 273, which should be compared to a brute-force attack of complexity 2128.
TL;DR: This Letter takes a chaos-based hash function proposed very recently in Amin, Faragallah and Abd El-Latif (2009) as a sample to analyze its computational collision problem, and generalizes the construction method of one kind of chaos- based hash function and summarize some attentions to avoid the collision problem.
TL;DR: This paper presents a survey of 17 extenders in the literature and considers the natural question whether these preserve the security properties of the compression function, and more in particular collision resistance, second preimage resistance, pre image resistance and the pseudo-random oracle property.
Abstract: Cryptographic hash functions reduce inputs of arbitrary or very large length to a short string of fixed length. All hash function designs start from a compression function with fixed length inputs. The compression function itself is designed from scratch, or derived from a block cipher or a permutation. The most common procedure to extend the domain of a compression function in order to obtain a hash function is a simple linear iteration; however, some variants use multiple iterations or a tree structure that allows for parallelism. This paper presents a survey of 17 extenders in the literature. It considers the natural question whether these preserve the security properties of the compression function, and more in particular collision resistance, second preimage resistance, preimage resistance and the pseudo-random oracle property.
Book•
01 Jan 2010
TL;DR: In this paper, a unified method for improving PRF bounds for a class of blockcipher-based MACs was proposed, and a domain extension for Enhanced Target Collision-Resistant Hash Functions was proposed.
Abstract: Stream Ciphers and Block Ciphers.- Cryptanalysis of the DECT Standard Cipher.- Improving the Generalized Feistel.- Nonlinear Equivalence of Stream Ciphers.- RFID and Implementations.- Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher.- Fast Software AES Encryption.- Hash Functions I.- Attacking the Knudsen-Preneel Compression Functions.- Finding Preimages of Tiger Up to 23 Steps.- Cryptanalysis of ESSENCE.- Theory.- Domain Extension for Enhanced Target Collision-Resistant Hash Functions.- Security Analysis of the Mode of JH Hash Function.- Enhanced Security Notions for Dedicated-Key Hash Functions: Definitions and Relationships.- Message Authentication Codes.- A Unified Method for Improving PRF Bounds for a Class of Blockcipher Based MACs.- How to Thwart Birthday Attacks against MACs via Small Randomness.- Constructing Rate-1 MACs from Related-Key Unpredictable Block Ciphers: PGV Model Revisited.- Hash Functions II.- Higher Order Differential Attack on Step-Reduced Variants of Luffa v1.- Rebound Attack on Reduced-Round Versions of JH.- Hash Functions III (Short Presentation).- Pseudo-cryptanalysis of the Original Blue Midnight Wish.- Differential and Invertibility Properties of BLAKE.- Cryptanalysis.- Rotational Cryptanalysis of ARX.- Another Look at Complementation Properties.- Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations.
TL;DR: This paper proposes multiple-collision trapdoor hash families based on discrete logarithm and factoring assumptions, and provides formal proofs of their security, and introduces an efficient on-line/off-line signature scheme based on the proposed trapdoorHash families.
Abstract: The first on-line/off-line signature scheme introduced by Even et al. in 1990 has two problems: (a) impractical signature length and (b) a one-time use of signature generated during the off-line phase. In 2001, Shamir and Tauman significantly shortened the length of the signature by using trapdoor hash families introduced by Krawczyk and Rabin in 2000. However, each trapdoor hash value and its signature in the off-line phase of Shamir and Tauman's signature scheme can be used for signing only one message in the on-line phase. In this paper, we propose multiple-collision trapdoor hash families based on discrete logarithm and factoring assumptions, and provide formal proofs of their security. We also introduce an efficient on-line/off-line signature scheme based on our proposed trapdoor hash families. Our on-line/off-line signature scheme can re-use a trapdoor hash value for signing multiple messages. If a signer includes this trapdoor hash value in the public-key digital certificate, there is no need to have any regular digital signature scheme to sign the trapdoor hash value in the off-line phase.
13 Oct 2010
TL;DR: The generic analysis gives a simpler proof as in the FSE'09 analysis of TANDEM-DM by also tightening the security bound, and the collision resistance bound for CYCLIC-DM diminishes with an increasing cycle length c.
Abstract: We give collision resistance bounds for blockcipher based, double-call, double-length hash functions using (k, n)-bit blockciphers with k > n. Ozen and Stam recently proposed a framework [21] for such hash functions that use 3n-to-2n-bit compression functions and two parallel calls to two independent blockciphers with 2n-bit key and n-bit block size.
We take their analysis one step further. We first relax the requirement of two distinct and independent blockciphers. We then extend this framework and also allow to use the ciphertext of the first call to the blockcipher as an input to the second call of the blockcipher.
As far as we know, our extended framework currently covers any double-length, double-call blockcipher based hash function known in literature using a (2n, n)-bit blockcipher as, e.g., ABREAST-DM, TANDEM-DM [15], CYCLIC-DM [9] and Hirose's FSE'06 proposal [13].
Our generic analysis gives a simpler proof as in the FSE'09 analysis of TANDEM-DM by also tightening the security bound. The collision resistance bound for CYCLIC-DM given in [9] diminishes with an increasing cycle length c. We improve this bound for cycle lengths larger than 26.
Posted Content•
TL;DR: A new approach is presented that produces 192 bit message digest and uses a modified message expansion mechanism which generates more bit difference in each working variable to make the algorithm more secure.
Abstract: Cryptographic hash functions play a central role in cryptography. Hash functions were introduced in cryptology to provide message integrity and authentication. MD5, SHA1 and RIPEMD are among the most commonly used message digest algorithm. Recently proposed attacks on well known and widely used hash functions motivate a design of new stronger hash function. In this paper a new approach is presented that produces 192 bit message digest and uses a modified message expansion mechanism which generates more bit difference in each working variable to make the algorithm more secure. This hash function is collision resistant and assures a good compression and preimage resistance.
12 Aug 2010
TL;DR: A new kind of attack based on a cancellation property in the round function is described, which allows to efficiently use the degrees of freedom available to attack a hash function.
Abstract: In this paper we study the strength of two hash functions which are based on Generalized Feistels. We describe a new kind of attack based on a cancellation property in the round function. This new technique allows to efficiently use the degrees of freedom available to attack a hash function. Using the cancellation property, we can avoid the non-linear parts of the round function, at the expense of some freedom degrees.
Our attacks are mostly independent of the round function in use, and can be applied to similar hash functions which share the same structure but have different round functions. We start with a 22-round generic attack on the structure of Lesamnta, and adapt it to the actual round function to attack 24-round Lesamnta (the full function has 32 rounds). We follow with an attack on 9-round SHAvite-3512 which also works for the tweaked version of SHAvite-3512.
07 Feb 2010
TL;DR: A pseudo-preimage attack on the Tiger compression function adopts the meet-in-the-middle approach and derived several properties or weaknesses in both the key schedule function and the step function of the Tigers compression function, which gives more freedom to separate the tiger compression function.
Abstract: This paper evaluates the preimage resistance of the Tiger hash function. We will propose a pseudo-preimage attack on its compression function up to 23 steps with a complexity of 2181, which can be converted to a preimage attack on 23-step Tiger hash function with a complexity of 2187.5. The memory requirement of these attacks is 222 words. Our pseudo-preimage attack on the Tiger compression function adopts the meet-in-the-middle approach. We will divide the computation of the Tiger compression function into two independent parts. This enables us to transform the target of finding a pseudo-preimage to another target of finding a collision between two independent sets of some internal state, which will reduce the complexity. In order to maximize the number of the attacked steps, we derived several properties or weaknesses in both the key schedule function and the step function of the Tiger compression function, which gives us more freedom to separate the Tiger compression function.
TL;DR: The security of iterated hash functions that compute an input dependent checksum which is processed as part of the hash computation is analysed to show that a large class of such schemes, including those using non-linear or even one-way checksum functions, is not secure against the second preimage attack of Kelsey and Schneier, the herding attack of Kohno and the multicollision attack of Joux.
Abstract: We analyse the security of iterated hash functions that compute an input dependent checksum which is processed as part of the hash computation. We show that a large class of such schemes, including those using non-linear or even one-way checksum functions, is not secure against the second preimage attack of Kelsey and Schneier, the herding attack of Kelsey and Kohno and the multicollision attack of Joux. Our attacks also apply to a large class of cascaded hash functions. Our second preimage attacks on the cascaded hash functions improve the results of Joux presented at Crypto’04. We also apply our attacks to the MD2 and GOST hash functions. Our second preimage attacks on the MD2 and GOST hash functions improve the previous best known short-cut second preimage attacks on these hash functions by factors of at least 226 and 254, respectively. Our herding and multicollision attacks on the hash functions based on generic checksum functions (e.g., one-way) are a special case of the attacks on the cascaded iterated hash functions previously analysed by Dunkelman and Preneel and are not better than their attacks. On hash functions with easily invertible checksums, our multicollision and herding attacks (if the hash value is short as in MD2) are more efficient than those of Dunkelman and Preneel.